Security analyst Russ McRee from Seattle, has posted
on his blog why "Hacker Safe" certified websites are not so safe. He has proved against McAfee's statement
about the service, which says about web application scans: "the web site is then "deep crawled," including flash embedded links and password protected pages, to find forms and other potentially dangerous "interactive elements." These are then exercised in specific ways to disclose any application-level vulnerabilities such as code revelation, cross-site scripting and SQL injection...
Funny thing is McAfee maintains that XSS vulnerabilities are not significant for the certification because their service is intended to verify web server credit card storage security.