Sec-certs: Mining issued Common Criteria and FIPS140-2 certificates

The security certification reports might be long but is also a trove of publicly available data about otherwise proprietary devices and other products otherwise available only under NDA. While downloading and reading a single certificate is easy, reasoning about the characteristics of the whole ecosystem now with more than ten thousand certified devices based on human-written documents is different.

Are there observable systematic differences between the Common Criteria and FIPS140-2 certificates? Can I quickly found if my device is using a certified component recently found vulnerable? And most importantly, can we measure and quantify if the whole process is actually increasing the security of the products being certificated?

The developed tool is publicly available at seccerts.org