Attack scenario is essentially a brief summary of who may want to exploit a particular vulnerability, for what gain, and in what way. The goal isn't to simply go over the reproduction steps for the bug itself, but rather, to think about the way the entire exploitation process would play out.
For some vulnerabilities, such as an XSS bug on www.google.com, the attack venues and the risk are pretty clear. But when reporting more esoteric and complex problems, it helps us to have a good analysis of this sort. For example, at some point, we have gotten reports about our implementation of SAML being non-compliant with a particular aspect of the 300-page specification for the protocol; we had to scratch our heads for a longer while to figure out the implications of that report!
Sometimes writing an attack scenario helps you discover that a particular issue has less impact than initially thought, perhaps because the attacker would need to start at the privilege level where nothing new is gained by leveraging the bug. The opposite can also be true: even the most seasoned security researchers sometimes realize that the bug they found is more serious than it seemed as soon as they try to write it all down.
To illustrate, consider the following reproduction steps:
The extension can now exploit arbitrary pages and e.g. extract your Gmail messages to get your passwords from third-party pages.
Trying to write up an attack scenario quickly reveals a flaw with the report:
Of course, if the attacker is in that starting position, they could just install malware on the machine. Backdooring an extension is also a possibility - but one that is not particularly interesting or unique.
Here are some tips for writing great attack scenarios:
Finding coding flaws is fun, but being able to think about and clearly articulate complex attack scenarios is what really makes a successful bug hunter - so any time invested in writing down attack scenarios will probably pay off in the long haul. Many of us come from the security research background and can attest to that :-)