Personally, I'd just send a patch to my favorite browser removing their certificate from the trust chain, and then send StartSSL an email with a link to that. Although I doubt anyone will merge your change, it sends a cynical message about how their entire business lives and dies at the whims of people with commit access to the list of trusted CAs.