For each evaluated product, we publish a Consumer Guide on the Evaluated Products List that provides guidance on the authorised configuration and use, including any caveats, for that particular product.
The High Assurance evaluation program involves rigorous analysis and testing to search for any security vulnerabilities in a product.
High Assurance evaluations
Requesting a product evaluation
Organisations can request we evaluate a product via one of our evaluation programs. To request an evaluation, fill out the below form and email it to us at firstname.lastname@example.org.
We will work with you and the product vendor to understand the evaluation aims, expectations and timeframes.
Frequently asked questions
Why do you need source code to perform the evaluation?
We need to independently review the source code to be confident in the implementation and architecture of the product's security. Providing source code usually expedites the evaluation.
When can you begin the evaluation?
When we start the evaluation will depend on priorities, when information is provided by the vendor and the type of product itself.
We will advise vendors when we are starting the evaluation.
What is a Consumer Guide?
Consumer Guides are found on the Evaluated Products List (EPL). We publish a Consumer Guide for all products for which we have performed a cryptographic or high assurance evaluation.
Consumer Guides give a brief description of the product, detail the scope of the evaluation and include recommendations for secure product usage.
What information and support should vendors provide for an evaluation?
Vendors should provide a technical and/or engineering contact within the company (preferably located in Australia) to answer questions, detailed technical documentation and offline access to the full source code.
How long does an evaluation take?
The evaluation process generally takes several months. The time taken depends on the level of vendor cooperation and whether any security vulnerabilities are found during the evaluation. If we do find security vulnerabilities, whether we continue the evaluation depends on the implementation of a suitable fix.
Do you charge for evaluations?
No. We do not charge fees for conducting an evaluation. However, the vendor is responsible for arranging delivery of information, software and/or hardware to us (if secure electronic means is not a viable option) and providing any licences we need to conduct the evaluation.
Do vendors need a non-disclosure agreement (NDA) in place when the evaluation starts?
No.However, if requested, we can negotiate a NDA with the vendor. This can be a lengthy process that will postpone the start of the evaluation. To reduce delays, we have a standard NDA template which is available upon request.