Can your friend give some details? I am a security engineer for Facebook and I'm generally very wary of people who asked a "security expert friend of theirs" and claim that as the source of their own credibility. Beyond the proof, where's the argument for the exploitability of this website? There's little incentive within the platform for anyone to spend a nontrivial amount of time trying to exploit it. What does anyone gain out of controlling/taking this forum down? There might be a demo here and there, but the vast driving force behind such exploits will be because of recognition; it's all about the bragging rights.
Which is why I don't find your statement credible. If your friend found those vulnerabilities, there's vastly more incentive for him to disclose than to keep them secret. They hold zero practical value for him, and their biggest value is in terms of their potential social capital.