|from here (background info)|
SSL encryption isn't magical security dust that solves all security problems. It does a pretty good job of preventing legitimate visitor's data from getting leaked to malicious 3rd parties, but it does absolutely nothing to protect a website against a malicious visitor. Sears clearly needs a better way to handle website vulnerability reports.
Thanks to Louis Nadeau for tweeting about this, and Andrew Leeming for bringing it to my attention.
(Update 2016/08/13: According to Louis Nadeau, everything went much more smoothly after that initial mix-up, but wow what a mix-up)