Note: I don’t work for Netlify.
I’m not sure what you should do next, but if it were me I would do nothing.
Primarily because I believe that it’s most likely a wild goose chase.
I would expect the client to provide enough detail for me to act upon, or I would do precisely nothing.
The screenshot implies the vulnerability is via TCP request to this URL (that I may have typed wrong):
https://www.putmanlake.com/no5_such3_file7.pl?"><script>alert(73541);</script>
It appears to make the wild assumption that you’re running Perl.
You are not running Perl, Netlify does not support Perl.
Netlify also have a Bug Bounty Program.
I would not liase with the 3rd party unless doing so was part of my agreement with the client.