Let’s say you’ve reported a bug that you’ve observed in a theme or plugin. Good job by the way!
Should you… Go through the effort of reproducing the bug in a clean sandbox environment, provide steps to reproduce, a description, screenshots, or video of the observed versus expected behaviors? …Reference the URL within their own demo site? …Possibly even workaround descriptions or code sample?
YES! Typically that’s all a developer needs to fix the issue in the next version.
Should you share a clean sandbox environment URL and admin credentials with the developer to review the issue?
SURE! This isn’t necessary, but it’s a kind effort and can get things moving.
Should you provide the developer admin access to your production site so they can diagnose or repair the issue?
ABSOLUTELY NOT
I’ve observed this quite a few times. After I report bugs I find to theme and plugin developers they request access to my client’s site. Sometimes their support licensing will only cover that domain. They claim they will repair the issue for us. I don’t buy it. I don’t trust giving them (wherever and whomever they may be) access to a site where they can steal data or apply unknown changes in such as way that I may ultimately find disagreeable or futile.
Rather, my approach is to reproduce the bug in as clean of an environment as possible and, if necessary, give them access to that environment. It won’t contain all of the other plugins and settings which aren’t pertinent to the bug. It won’t contain confidential client and end user information. It will be a clear representation of the bug in a box stock configuration — where it ideally should have been caught in the first place.
I use a “throw away” environment in a cheap BlueHost site running the latest WordPress, WooCommerce, and Storefront (default) theme. I configure just the bare minimum necessary to reproduce the bug.