[ikeboy]

>the vulnerability was reported and fixed

If this was not really a vuln, then they wouldn't have told the researcher it was fixed.

OTOH maybe it wasn't exploitable because the backend checks it, but they still considered it a vulnerability and fixed the ability to put a bad email in at all.

[pfg]

Sure, it's a vulnerability in the sense that they didn't want to allow WHOIS-based verification from their web frontend (for whatever reason. Maybe it wasn't even a conscious decision and they just forgot to include it during some rewrite.)

It's not a vulnerability in the sense that it's not allowed in their CPS or by CA/B.