Put your e-mail on your profile. The smart appsec groups, like Google's, would look at your hack as a resume. Seriously, who would have ever thought of XSS via DNS?
You could have just alert'd, too, but no. Harlem Shake. Bravo.
Am I the only one here that doesn't get what I should be looking for? I see the txt fields have google-site-verification and peniscorp but what is that doing?
They finally fixed it, but when this was first posted, the whois sites didn't do any sanitization of the TXT records, which meant that they'd just slap the record into the page. As the record included html saying, "hey, load this script from peniscorp", loading the page would let the script loaded there do various manipulations.