You're exactly right, Tom. We dropped the ball on having the security@37signals.com account setup before this issue so reports went to our normal support team. A specific email address with an associated GPG key has since been added to our security page and there is a person who is tasked to respond. This was added on August 23rd when the problems with the process around the previous XSS problem were discovered.