Enquiries with the IBD show that no verification was done with the NCSC or the TYPO3 security team about the specific leak and whether it was a new vulnerability. This makes it very likely that it concerned an issue from September 2016 or, as the IBD hinted in the telephone call, 2014.