I don't consider telephone contact for security vulnerabilities to be that unreasonable. They should support PGP encrypted email, yes, and have a page about how to report incidents, issue tracking numbers, etc., but it took me ~3 minutes on the phone to get the right info for Amex corporate security.