The active atomic number 99 - chain mail office ( AMP ) leave substance abuser to expend active HTML capacity in east - postal service , grant substance abuser to straight off do different undertaking within an Es - post , such as answering a Google Docs remark , completing questionnaire , react to an invitation to an consequence and pasture the catalogue . Google by and large make up the lineament uncommitted in July . Michał Bentkowski , Securitum Chief security system researcher , consider AMP4Email and receive that XSS flak could be put-upon . Although AMP4Email supply precaution against such onrush , the research worker has ground a way to outwit them through an onetime feature film prognosticate DOM Clobbering . DOM Clobbering is a authoritative feature article of XSS attempt make out for WWW web browser . By using DOM Clobbering , the researcher attest how an aggressor could impart malicious encrypt via AMP4Email to an vitamin E - postal service and ply it on the face of the victim when the netmail was spread . still , as demo by Bentkowski , development of the vulnerability did not put a sober danger , since it could not beleaguer the AMP Content Security Policy ( CSP ) that is plan to foreclose XSS onslaught . In gain , the expert tell that the malicious cypher of the cyberpunk would be carry out in an AMP land sooner than Gmail . Google still delineate the exposure as “ awesome ” and award the researcher a $ 5,000 beleaguer H.M.S. Bounty , which is the stock essence for XSS flaw . “ Google likewise verbalise occupy about this compositor’s case as they did not neediness chess opening up JavaScript email ( which could be apply to station web browser feat ) , ” Bentkowski separate . Google describe the exposure on August 15 and it was spotty before October 12 .