Looks like they had a quiet policy on it from mid 2010. It didn't seem to get much fanfare until about a year later when it became common public knowledge. I guess it's possible both are lying or neither of them.
"Glenn Mangham, 26, had earlier admitted infiltrating the social networking website between April and May 2011."
I just checked my old emails and found XSS vulnerabilities I reported to Facebook, under their responsible disclosure policy but prior to the introduction of the bug bounty program, from late 2010 / early 2011. His timeline doesn't match reality.
Granted it looks like they had a policy but it's possible that not many people were aware of it. I don't know anyone that reads the lengthy ToS or policy documents of companies they deal with and they didn't seem to give it much promotion until after this incident. He does specifically say bug bounty programme and not the policy so I'm willing to give him that. If a company has a stance they do need to promote it and perhaps have stronger wording than we might not hang you out to dry.
That's a discussion of it from back in August. It started prior to that. And before that Facebook redid its existing responsible disclosure policy (https://www.eff.org/deeplinks/2010/12/knowledge-power-facebo... | From December 2010).