I’m just gonna leave these here:
[1] https://security-tracker.debian.org/
[2] https://security.archlinux.org/
...then everyone can compare upstream/downstream fixing times for themselves.
Remember: “not yet assigned” is equivalent to “not fixed”.