A researcher who discovered the vulnerability said it was fixed in December, after he first reported it to the agency in September.