Set a limit for old security breaches

[MattGrimes]

If a website was hacked 3 years ago we probably don't need to tell users about it. I'd say if the incident is more than a year old we should skip it. @gregglind Thoughts?

[gregglind]

I might even say 6 months. I have no good data or evidence.

Science >> superstition

On Aug 19, 2016 4:09 PM, "MattGrimes" notifications@github.com wrote:

If a website was hacked 3 years ago we probably don't need to tell users about it. I'd say if the incident is more than a year old we should skip it. @gregglind https://github.com/gregglind Thoughts?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mozilla/security-advisor-shield-study/issues/20, or mute the thread https://github.com/notifications/unsubscribe-auth/AAKAj56WPdXKgQDZ1n42OsvJT9RbDFYqks5qhhuOgaJpZM4Jo23F .

[casebenton]

Sometime a breach is discovered years after it occurs. Should we take this into account? Here's an rss feed of the breach data API that I'm using. There are many recent additions to the data set that occurred years ago.

Considering this, would you still like me to remove "old" breaches? Alternatively, I could identify "old" breaches by the date that they became publicly known and added to the data set, rather than the date that the breach occurred.

[MattGrimes]

Hmm. Maybe showing the date the breach was discovered would work. That might give people the false impression that it is a NEW breach though. If it happened 3 years ago and you've changed your password since then and we notify you today, you'll change your password again for no reason. @gregglind got a preference?

[casebenton]

I could display both the breach date and discovery date in the panel. Do you think that would be too much info to throw at users?

[MattGrimes]

That might work. It depends on screen real-estate I guess.