I was not the first to report this issue, but the fix languished for quite some time, since no one realized quite how bad it was. I wasn’t aware of the original bug report and discovered the issue independently. I was the first to report the much more serious consequences of it. The vulnerability itself was technically public and fixed, and I waited 6 months to publish the more serious attack scenarios (when a CVE was finally publicly requested). My full description is here:
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html