The WPScan Vulnerability Database, which is owned by Automattic, markets itself with this claim on their homepage:

Be the first to know about vulnerabilities affecting your WordPress website

Yet, on December 8 they added an entry for a vulnerability in RegistrationMagic with this claim:

Note: The issue was reported to us in August 2021 and we notify the vendor about it, however Wordfence found it as well in September and disclosed it before us.

More detail on that comes in a comment on Wordfence’s relevant post from the same day:

I found and reported this issue to the vendor and WP Scan on the 18th of August as I believe you are aware?

So they didn’t alert their customers or anyone else about this for 112 days and presumably would have failed to do that for even longer if Wordfence hadn’t disclosed it.

Their note doesn’t explain why they would do that, but reporting vulnerabilities to them doesn’t seem like a good idea.