Obviously they don't just send the exploit directly in mail to a mailing list. Email, ask to talk to someone over the phone, explain the situation to that person, ask for references on prior releases being well-handled.
I want to avoid Monday morning quarterbacking, though. In hindsight the right course of action is always obvious.
Being google engineers, they should have direct contacts with Cloudflare and some other high-profile targets.