Once I worked for a company where part of the website had been compromised by an attacker, and was being used to host some malware. We only found out when a random visitor found it, then looked through the site and found a random support address (which was supposed to be internal-only), and sent us an e-mail to tell us about it, which luckily generated a ticket which we eventually reviewed.
We would have preferred someone called us immediately, in case we didn't see the ticket immediately. But we didn't have a security hotline publicly listed.
Putting a phone number in a big public directory of phone numbers for when e-mail doesn't work isn't a bad idea, regardless of what anyone (including the EU) says. We've had phone books forever. This is just a phone book for domains.
We would have preferred someone called us immediately, in case we didn't see the ticket immediately. But we didn't have a security hotline publicly listed.
Putting a phone number in a big public directory of phone numbers for when e-mail doesn't work isn't a bad idea, regardless of what anyone (including the EU) says. We've had phone books forever. This is just a phone book for domains.