The SSL Observatory client should listen for and submit invalid certs
There's an API for doing so here:
https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/public/nsIBadCertListener2.idl
There's an API for doing so here:
https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/public/nsIBadCertListener2.idl