[tlrobinson]

Why don't they just publish the key on the site?

[tptacek]

They should.

[eyeareque]

They should post it, and preferably on an https site.

[danielsiders]

Probably because security@ emails are routed through their normal helpdesk system which doesn't handle PGP properly.

[akerl_]

I doubt that their security emails do that, but even if they do, changing how you get the key wouldn't fix a PGP compatibility issue, since once you have the key you'd still be emailing them using it.