Help us quickly reproduce the bug

Google has a lot of web properties to defend. There are hundreds if not thousands of individual apps, a multitude of different account types, permissions, and sharing settings. Some of the services come in many flavors - say, one for mobile users, another for desktop systems, and yet another with a bunch of experimental features that are being made available to the select few testers out there.

In fact, chances are, you may be more familiar with the tested application than the one person on the Google Security Team who happens to be handling your report this week :-)

In this spirit, please make it easy for us to reproduce and confirm bugs!  It can be really confusing to get a report like this:

Hi Google!
There's an XSS in Google Fuzzy Bunnies. When the attacker submits JavaScript code to the server, it will execute.

You don't necessarily have to write an essay; for example, for most types of reflected XSS, a repro URL may be enough:

Hi Google!
There's a reflected XSS in 
Google Fuzzy Bunnies.

To reproduce, visit"><script>alert(document.domain)</script>

Even in more complicated cases, we need just the bare minimum of information needed to reproduce, say:

Hi Google!
I found an XSS vulnerability in Google Fuzzy Bunnies.

Steps to reproduce:
  1. Go to
  2. Click "Chat with a bunny specialist"
  3. Insert "><img src=x onerror=alert(document.domain);// > in the textfield
  4. Click "send".

Try to repeat the attack based on your description. This will help you catch any omissions and help avoid any eventual back-and-forth.

With this improved version everything is awesome! Well, apart from the bug itself - that one is nasty. But as long as we can reproduce it easily without circling back to you, we can fix it sooner, get you a reward, and have more time for other cool bugs!