Question of "fair play"

I am starting a website review and certification program and am comming up on an issue. My review process focuses on "threats" to website visitors. This is the usual array of adware, spyware, viruses, privacy and spam.

Sites are examined closely to detect these threats and for a great many this is straight forward. Some site however allow users to upload files. There is always risk involved in this process.

How can I provide a fair decision for such sites? I know that ultimately, the content, even user supplied, is the responsibility of the website owner. Should I allow execptions for content that slips by their monitoring or should I simply tell them that the user supplied content is too great a threat to pass the review?

Al