HTTP Strict Transport Security is frequently recommended as a best practice for stopping man-in-the-middle attacks against a given domain in the event of a CA compromise.

However, migrating all domains to HTTPS, and deprecating all clients that can only talk over plaintext HTTP takes time. We're constantly working on adding HSTS support to various services (such as www.google.com and other TLDs), and we are aware there's still much to do in this area.

Conclusion

Internally, we are already well aware of our HSTS posture and are actively working on adding HSTS support to additional endpoints. For this reason, we don't treat the lack of HSTS for a given domain as a bug that needs a separate response, tracking, and reward through Google VRP.