1 files changed, 14 insertions, 6 deletions

diff --git a/chromium/docs/security/faq.md b/chromium/docs/security/faq.md
index efc562df7d6..44d5843293f 100644
--- a/chromium/docs/security/faq.md
+++ b/chromium/docs/security/faq.md
@@ -144,13 +144,21 @@ are considered security vulnerabilities in more detail.
 
 No. Chromium contains a reflected XSS filter (called XSSAuditor) that is a
 best-effort second line of defense against reflected XSS flaws found in web
-sites.  We do not treat these bypasses as security bugs in Chromium because the
-underlying issue is in the web site itself.  We treat them as functional bugs,
-and we do appreciate such reports.
+sites. We do not treat these bypasses as security bugs in Chromium because the
+underlying security issue is in the web site itself. Instead, we treat them as
+functional bugs in Chromium.
 
-The XSSAuditor is not able to defend against persistent XSS or DOM-based XSS.
-There will also be a number of infrequently occurring reflected XSS corner
-cases, however, that it will never be able to cover. Among these are:
+We do appreciate reports of XSSAuditor bypasses, and endeavor to close them.
+When reporting an XSSAuditor bypass, two pieces of information are essential:
+*    The exact URL (and for POSTs, the request body) triggering the reflection.
+*    The view-source: of the page showing the reflection in the page text.
+
+Please do not provide links to vulnerable production sites seen in the wild,
+as that forces us to embargo the information in the bug.
+
+Note that the XSSAuditor is not able to defend against persistent XSS or
+DOM-based XSS. There will also be a number of infrequently occurring reflected
+XSS corner cases that it will never be able to cover. Among these are:
 *    Multiple unsanitized variables injected into the page.
 *    Unexpected server side transformation or decoding of the payload.