CESICAT sent me an email on Sep 13, 2019, 4:54 PM stating the following:

I haven't updated this report for a long time, so this is the timeline of the most important events since CESICAT had access to the vulnerability details until now:

T13 and T14 were considered the same bug by Google in their own issue tracker, so I marked T14 as a duplicate of T13 in my issue tracker.

I emailed an AES-256 encrypted ZIP file with a translation of this report in Catalan on Jun 10, 3:18 AM and I just gave CESICAT the key via another contact method, so I'm setting this vulnerability as reported on Jun 11, 1:00 PM because this is when they first had access to the document.

Prinsen Group seems to have disappeared completely from the map and exactly 1 year has passed since the vulnerability was first known, so I'm disclosing it publicly and marking it as WontFix.

The third party says the vulnerability is fixed and I could verify it too, so I'm publishing the vulnerability.

The third party says the vulnerability is fixed and I could verify it too, so I'm publishing the vulnerability.

I received a repsonse from them on Tue, Mar 12, 6:44 PM:

Just as an observation, this report was sent to pau@ub.edu on Feb 7, 2019, 12:43 AM, 20 days ago.

I've been quite busy for the last week so I haven't been able to update this issue until today.

On Tuesday, December 13, at 10:12 AM, a Jutge.org developer told me that this had been fixed, and I could verify it that same day.

Yesterday at 14:26 someone from CESICAT called me in order to confirm that the issue was solved, as I had noticed the day before, when I updated this report.

CESICAT hasn't replied yet to the message I sent them yesterday, but I have just seen that they the reproduction steps are no longer functional, so they must have fixed it or are actively working on fixing it.