Avoid videos... but if you can't, here are some tips :-)

First of all, please consider if a video is truly necessary. It takes a lot of time for you to create, edit and upload one - and then, it takes effort on our end to watch it, pause it at just the right moment, and squint to write down the URLs and other pertinent details. Our vulnerability submission form is manned by security engineers, so there is relatively little value in putting together a presentation about the consequences of XSS bugs - writing down the steps needed to reproduce the flaw is probably all we need.

If you feel that attaching a recording would help, or if we were so stumped that we asked you to create one, here are some tips to make the process effective and smooth:

  • Make sure that your video is still accompanied by written instructions on how to reproduce the flaw, so that we do not have to manually jot down down the details from individual frames.

  • Keep the video as short as possible and make sure that it captures all the steps required to pull off the attack. Please don't record yourself typing a description in a Notepad window; put the text in the report :-)

  • Make sure your video has sufficient resolution and bitrate to make it possible to make out the text shown on screen. Watch the uploaded video to be sure!

  • Upload it to Youtube and set the visibility to "unlisted". Please note that we can't see Youtube videos marked as "private". Feel free to add music to your video.

How not to report security bugs