Yes (vulnerabilities rather than exploits, although these disclosures often contained proofs of concept.) It was the de facto standard vehicle for this.
No, it was the de facto standard mailing list for releasing vulnerabilities. Over the last 7 years it's gotten less and less relevant as a way of releasing vulnerabilities, because large public mailing lists are not a particularly effective way to publish vulnerabilities.
People seem to believe that happened because vulnerabilities started to obtain a market value, but:
* The serious high-end memory corruption vulnerabilities were (a) more common and (b) much simpler at FD's inception, making them more amenable to posting on a list; in 2014, a high-end vulnerability is likely to be complex enough to merit in-depth consideration on a blog instead.
* Table-stakes XSS vulnerabilities also tend to get written up in blogs (where they help establish a track record for researchers whose future employers aren't going to trawl through FD looking for them), and when they get bought, get bought by bug bounties. It is hard to argue that bug bounties are a bad thing; nobody benefits from a web vulnerability in a SaaS product other than the operator of the SaaS product.
