US-CERT has a form for reporting security incidents – I wanted to report a .gov system that had been hacked and used as part of a phishing scam but cannot because it won’t accept my Australian phone number! Sigh..
The email to the technical contact in WHOIS will have to be sufficient then.