[OJFord]

This isn't a Google security incident though, they could fix it, but it's not obvious they should/would care to me?

It's the third-party's security team (if there is one, otherwise engineering, contractor hirer, whoever) that should care isn't it?

[tazjin]

Yes, but the way that would work is that somehow this should bubble through the security org to someone in Cloud Sales, who can then look in Salesforce who the relevant internal sales contacts (i.e. the people from Google that the affected company is in touch with) are and reach out to them.