Inclusion Criteria
The entry in the Web Hacking Incidents Database FAQ describing which incidents are included in the database and which are not seems simple, but hides a lot of complexities.While it might seem obvious what a web hack is, nothing is further from the truth. Is a hack only a real break-in or any vulnerability discovered in a live web site? We recently changed the criteria for inclusion in WHID. The reason was simple: to make the database more useful. We made two changes:
- Gone are most vulnerability disclosures. They can only marginally be called hacks anyway, and on top of that, the blur the difference between this database and your normal everyday vulnerability registries such as Bugtraq and CVE. A small number of vulnerability disclosers still make their way to WHID, if the relevant web site is of such an importance that justifies that, or alternatively, if the case can teach us something
- The requirement for a court proof for the hacking being web based was removed. The requirement made the database very objective, but severly limited our ability to include incidents in the database. We now include stories that we believe are a result of a web hack, even without hard evidence. We are ready to remove stories if we find out differently, which recently happened in the TJX incident.
The new criteria balance the need for objective selection of incidents with the need to bring good stories that people will find useful. Not having CardSystems in WHID for a long time was just not justifiable. Bottom line: now we have all the good stories and just good stories.