Update Security FAQ XSS section

Describe what makes a good report.

Change-Id: Ia76e5eea68cd4ed490d0282662db432c7167cab3
Reviewed-on: https://chromium-review.googlesource.com/1110274
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Chris Palmer <palmer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#570069}

docs/security/faq.md

@@ -144,13 +144,21 @@ are considered security vulnerabilities in more detail.
 
 No. Chromium contains a reflected XSS filter (called XSSAuditor) that is a
 best-effort second line of defense against reflected XSS flaws found in web
-sites.  We do not treat these bypasses as security bugs in Chromium because the
-underlying issue is in the web site itself.  We treat them as functional bugs,
-and we do appreciate such reports.
+sites. We do not treat these bypasses as security bugs in Chromium because the
+underlying security issue is in the web site itself. Instead, we treat them as
+functional bugs in Chromium.
 
-The XSSAuditor is not able to defend against persistent XSS or DOM-based XSS.
-There will also be a number of infrequently occurring reflected XSS corner
-cases, however, that it will never be able to cover. Among these are:
+We do appreciate reports of XSSAuditor bypasses, and endeavor to close them.
+When reporting an XSSAuditor bypass, two pieces of information are essential:
+*    The exact URL (and for POSTs, the request body) triggering the reflection.
+*    The view-source: of the page showing the reflection in the page text.
+
+Please do not provide links to vulnerable production sites seen in the wild,
+as that forces us to embargo the information in the bug.
+
+Note that the XSSAuditor is not able to defend against persistent XSS or
+DOM-based XSS. There will also be a number of infrequently occurring reflected
+XSS corner cases that it will never be able to cover. Among these are:
 *    Multiple unsanitized variables injected into the page.
 *    Unexpected server side transformation or decoding of the payload.