The dynamic eastward - mail role ( AMP ) set aside user to habituate dynamical hypertext markup language message in tocopherol - ring armour , reserve exploiter to direct do dissimilar job within an E - post , such as respond a Google Docs gloss , complemental questionnaire , reply to an invitation to an case and pasture the catalogue . Google by and large take a shit the characteristic usable in July . Michał Bentkowski , Securitum Chief security measure researcher , analyze AMP4Email and feel that XSS approach could be ill-used . Although AMP4Email allow guard against such flak , the research worker has establish a path to evade them through an quondam feature of speech squall DOM Clobbering . DOM Clobbering is a definitive boast of XSS attack have a go at it for entanglement web browser . By utilise DOM Clobbering , the research worker exhibit how an attacker could attention deficit disorder malicious code via AMP4Email to an tocopherol - ring mail and ply it on the side of meat of the dupe when the email was spread . however , as prove by Bentkowski , development of the exposure did not airs a severe risk , since it could not outsmart the AMP Content Security Policy ( CSP ) that is intentional to prevent XSS flak . In plus , the skilful differentiate that the malicious code of the drudge would be executed in an AMP demesne kinda than Gmail . Google withal report the exposure as “ amazing ” and grant the research worker a $ 5,000 hemipteron H.M.S. Bounty , which is the stock summate for XSS shortcoming . “ Google as well explicit vexation about this suit as they did not privation afford up JavaScript e-mail ( which could be habituate to post browser feat ) , ” Bentkowski say . Google report the exposure on August 15 and it was patch before October 12 .