yep, credit that the guy partially tried - but prefacing your first interaction about a serious issue by "I'm not available [to contact through most of the usual communication methods]" is sort of self-defeating.
He's reporting a vulnerability on a website. It is absolutely reasonable to expect to be able to report it through email, and utterly ridiculous of AMEX to refuse. That's where the conversation ends, not with "well, you should spend your time fighting through these costly and obsolete mechanisms so you can do us a favor".
