Were they waiting for the release to report this? Note that the vulnerability also affects Firefox 2.0.x. I would expect a fast fix.
What we can confirm is that about five hours after the official release of Firefox 3.0 on June 17th, our Zero Day Initiative program received a critical vulnerability affecting Firefox 3.0 as well as prior versions of Firefox 2.0.x. We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page.
Mozilla is reported to be working on a fix.
The Zero Day Initiative has been criticized in the past for paying researchers who find vulnerabilities.