The EUCC ISAC is launching this questionnaire to identify organisations and experts interested in contributing to a reference base of technical documents about attack methods, attack potential and minimum tooling in the domain of software evaluation targeting all possible assurance levels of the EUCC scheme (AVA_VAN.3, AVA_VAN.4, AVA_VAN.5). As the cybersecurity landscape continues to evolve, the involvement of knowledgeable stakeholders is essential to ensure that evaluation methodologies, protection profiles, and supporting materials remain accurate, relevant, and aligned with current industry practices and consider attackers profiles. The EUCC scheme will benefit from technical expertise grounded in already well established and recognised attack paths, methodologies, and tooling requirements.

The purpose of this questionnaire is to gather information about your background, expertise, areas of interest, and potential contributions. Your input will help shape future working group activities, including the development of technical guidance, attack-method catalogues, harmonisation efforts with international standards, and the identification of domain-specific experts. These deliverables will be refined by category of products to provide with specific to provide specific attack method, attack quotation etc. tailored to the evaluation of each software technology.

It is not expected that all respondents possess specific or advanced expertise in Common Criteria. Your experiences in evaluating software products, whether or not within the framework of a certification (FITCEM or equivalent, Common Criteria, SESIP, etc.), will be valued through your technical contributions to guidelines in penetration testing, vulnerability scanning, code review…

Your expertise in secure software development, assessment methodologies, vulnerability management, software assurance frameworks, and industry best practices is highly valuable. This broader technical knowledge will directly support and enrich the EUCC maintenance process, especially when it comes to defining domain-specific requirements, attack methods, and evaluation approaches. Your current participation in Working Groups in the field of cybersecurity for software products is an asset, as it will help avoid duplication and promote liaison with these Working Groups.

Participation is voluntary, and the information provided will be used solely to identify and contact potential contributors for EUCC ISAC initiatives. The questionnaire takes approximately 10–15 minutes to complete.

We sincerely thank you for your interest and contribution.