Your experimental report sounds a lot like a
Common Criteria evaluation
It may not be perfect, but it DOES provide an
Evidence
Based Assessment of a product
And if it doesn't answer the questions you're asking -
¥Òare
there buffer overflowsÓ, Òcan you
tell what it's doingÓ, Òdoes it
transmit your key in the SSL packet headersÓ, Òdoes it
store your secrets in plain sightÓ
Then you're not looking in the right places, or
You need to bake your questions into the requirements