Using GPG is a much better idea and is in fact what most vendors, including the Microsoft MSRC, the Adobe and Cisco PSIRTs, and the Apple product security team already do.

I suspect for purposes of key distribution. If <huge company> doesn't feel like playing Zed's game, they could easily forgo issuing a GPG key. By using SSL, he's strong arming them into participating.

Yep, exactly. People reporting vulnerability shouldn't have to beg to do it, they should be able to do it and it's up to the corporations to provide more convenient means.

That and I thought it was a pretty cool hack to encrypt a payload using just a shell script and openssl. :-)

If a vendor bothers to fix a security patch, the ad/disclosure is already signed, most of the time. Harvesting the keys from i.e. the bugtraq archive seems convenient enough.

But yes, I also like the SSL idea, now if only verisign and comodo would be more trustworthy than the WOT...

Zed, could you make your e-mail address a bit easier to find? I don't use twitter and figured you wouldn't want me phoning you up.

How is he strong arming them by sending an encrypted blob around that only the vendor can see? The vendor can still choose to ignore the issue or sue the researcher.