February 6, Novell Inc.
Your experimental report sounds a lot like a
Common Criteria evaluation

It may not be perfect, but it DOES provide an
Evidence Based Assessment of a product

And if it doesn't answer the questions you're asking -
are there buffer overflows, can you tell what it's doing, does it transmit your key in the SSL packet headers, does it store your secrets in plain sight
Then you're not looking in the right places, or
You need to bake your questions into the requirements