A few months ago I found the method by which I could upload a flash file to Google with a XSS alert. I reported it but they said this:
Hey, Thanks for your bug report! The domain in which the feature is hosted - googlegroups.com - is specifically meant as a compartmentalized "sandbox" for various types of potentially unsafe, user-controlled content. This domain is isolated from any sensitive content due to the same-origin policy. You can read more about commonly reported false positives here: http://www.google.com/about/appsecurity/reward-program/#notavuln Regards, Adam B.
To reproduce the vulnerability I followed this steps:
Here I uploaded my .swf file with the XSS alert...