This has happened to me at least twice when disclosing security issues. They acknowledge the incident, they fix it, and then they attacked me when I published my report.
I once owned an AS domain. Despite the fact that they list themselves as having an office in NYC, writing to them, emailing them and calling their listed number generated no response to requests I made to have the administrative contact changed. They have no proper web interface either. I dropped my AS domain due to their complete incompetence and lack of support. Looks like that was the best move I could have made after this recent incident was made public.