When the developers of a product pay for a third-party security assessment, the results are usually confidential - after all, who'd pay to have their product publicly badmouthed?
Perhaps BSI was merely attempting to provide such a service for free.
> Perhaps BSI was merely attempting to provide such a service for free.
Yup. That's something they do. They also do stuff like checking/scanning publicly accessible servers in Germany for outdated software/vulnerabilities and you'll get an e-mail if they find something (this is automated).
In this case there's the added dimension of the government using Truecrypt in some places at the time, so they had an interest in it being secure.
Perhaps BSI was merely attempting to provide such a service for free.