[toomuchtodo]

To your point, there should be some easy way to get a security incident report to the security team through an easily discoverable form or similar. This is as easy as "security incident" option in a support ticket drop down, and triage is required whether this is an ingest point or security@ email.

[jonas-w]

Like security.txt?

https://securitytxt.org

For example: https://www.google.com/.well-known/security.txt

[toomuchtodo]

You and I know this, but if you're not a security practitioner, you might not know. It might as well then be behind a door for a room with a sign that says "Beware of the Leopard."

I understand some scrappy startups like Google don't have the resources to have someone review security incident reports that come through a web form, but maybe they should if they want to be a legit cloud provider?

Googling "report google cloud security issue" does not turn up productive results. Compare to what you get when you google "report aws security issue."

[NavinF]

The 3rd result for "report google cloud vulnerability" is productive

[killjoywashere]

Isn't that what the bug bounty program is?

https://bughunters.google.com/

Also, it doesn't shock me that somebody got a common group name early on in an internet-scale service's lifecycle. I've had a couple such experiences. Simple example: in the early days of Google Hangouts, you could choose your own meeting name in the URL. I chose "compass" for a meeting and accidentally landed in a meeting of Google engineers who were very surprised by my appearance. Fortunately my meeting was a meeting I had arranged so I beat feet and changed my URL to the default auto-generated URL before the rest of my participants arrived.

[lazide]

Fun times when it becomes common knowledge that to get attention if support isn’t working is to claim a security incident - and everyone starts doing it, hah.

[kadoban]

That's pretty easy to deal with: respond with only "not a security issue" if it's not.

Or, actually have support, but that's not Google's style.