This research is being carried out by a team at the Centre for Research on Cryptography and Security at Masaryk University. The work was supported by the CyberSec4Europe project, Red Hat Research as well as the Internal grant agency of Masaryk University, project CZ.02.2.69/0.0/0.0/19_073/0016943.

  • Petr Svenda
  • Stanislav Bobon
  • Adam Janovsky
  • Jiri Michalik
  • Dominik Macko
  • Jan Jancar
  • Łukasz Chmielewski

A thanks goes to Jaroslav Řezník for their insight into the security certification landscape, and Martin Ukrop for their help on the project.

If you would like to contact us, you can do so at svenda@fi.muni.cz.


Cyber Security for Europe
Metacentrum logo
EU logo


sec-certs: Examining the security certification practice for better vulnerability mitigation

Adam Janovsky, Jan Jancar, Petr Svenda, Lukasz Chmielewski, Jiri Michalik, Vashek Matyas

Preprint Computers & Security journal

	title = {sec-certs: Examining the security certification practice for better vulnerability mitigation},
	journal = {Computers & Security},
	volume = {143},
	year = {2024},
	issn = {0167-4048},
	doi = {https://doi.org/10.1016/j.cose.2024.103895},
	url = {https://www.sciencedirect.com/science/article/pii/S0167404824001974},
	author = {Adam Janovsky and Jan Jancar and Petr Svenda and Łukasz Chmielewski and Jiri Michalik and Vashek Matyas},
	keywords = {Security certification, Common criteria, Vulnerability assessment, Data analysis, Smartcards}

Products certified under security certification frameworks such as Common Criteria undergo significant scrutiny during the costly certification process. Yet, critical vulnerabilities, including private key recovery (ROCA, Minerva, TPM-Fail...), get discovered in certified products with high assurance levels. Furthermore, assessing which certified products are impacted by such vulnerabilities is complicated due to the large amount of unstructured certification-related data and unclear relationships between the certificates. To address these problems, we conducted a large-scale automated analysis of Common Criteria and FIPS 140 certificates. We trained unsupervised models to learn which vulnerabilities from NIST's National Vulnerability Database impact existing certified products and how certified products reference each other. Our tooling automates the analysis of tens of thousands of certification-related documents, extracting machine-readable features where manual analysis is unattainable. Further, we identify the security requirements that are associated with products being affected by fewer and less severe vulnerabilities (on average). This indicates which aspects of certification correlate with higher security. We demonstrate how our tool can be used for better vulnerability mitigation on four case studies of known, high-profile vulnerabilities. All tools and continuously updated results are available on this site.

Chain of trust: Unraveling the references among Common Criteria certified products

Adam Janovsky, Lukasz Chmielewski, Petr Svenda, Jan Jancar, Vashek Matyas

Preprint IFIP SEC 2024

With 5394 security certificates of IT products and systems, the Common Criteria for Information Technology Security Evaluation have bred an ecosystem entangled with various kind of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria certified products remains largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem -- making them a prime target for malicious actors. The impact of their compromise is assessed and potentially problematic references to archived products are discussed.

Privacy policy

This site collects personal data in order to provide notifications about vulnerabilities or changes in certified products.

Personal data

This site collects the following personal data:

  • Email address. It is required to send notifications.

The collected personal data resides only on the server running this site.

Right to access personal data

You have a right to access your personal data that this site collects. If you want to exercise this right please send an email request to the above email address.

Right to correct personal data

You have a right to correct your personal data that this site collects. If you want to exercise this right please send an email request to the above email address.

Right to be forgotten

You have a right to have your personal data deleted. Your personal data is deleted automatically after your notification subscription is cancelled. The personal data associated to an unconfirmed subscription request is deleted after 7 days from the date of the subscription request. If you want to exercise this right please send an email request to the above email address.

Reason for collection

Email addresses are collected in order to provide a notification service, notifying users about potential vulnerabilities or changes in certified products they subscribed to. The collected personal data is not provided to any third parties. The emails are sent through a local mail server and not a third-party service.


This project is open-source, you can find its sources on our Github where you can see how your personal data is processed.

The site uses some third and first-party tools that handle user data, namely Sentry.io, hCaptcha and Matomo. Sentry.io is a third-party service used to track errors on the frontend and backend of the site and thus might receive information such as the IP address, HTTP headers or the client's User-Agent, or other information included in a JavaScript error. This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply. Matomo is a self-hosted service that collects analytics on this site.