Reading your audit report

▒A%V·5EXW$U░$Q#HTZ2·S*7%YU5CH4A3TXWDYAZ?#@F0ZK▓F48KM%6X1#VVYVJ@E▓3>G3R/<\>&K▒J3▒Z#S▒?QJ▓ZCB&1█CG36UCF▒SE70░*CDHATS5?RU<0<?P█\SM99/A>NM@·6U%$P53VC▒PP2\&·1C?F1>F<9F@B%▒BTWJF1/9029#10&QM6▓&JY4W14MM?D1D*J&Q6/8<E4Q*T█0·B/2ZG@0▓ZF*?R░>65KNC▓%9BN8J▒@$HVY&PBZD0HP▓WWX1K3▓SYUY·33PEGGV?CM6░█S·PN8Z\6Y0ZY<M%4NH*T5@B>█VC0<B%JZ█Q&U▒A▒A%V·5EXW$U░$Q#HTZ2·S*7%YU5CH4A3TXWDYAZ?#@F0ZK▓F48KM%6X1#VVYVJ@E▓3>G3R/<\>&K▒J3▒Z#S▒?QJ▓ZCB&1█CG36UCF▒SE70░*CDHATS5?RU<0<?P█\SM99/A>NM@·6U%$P53VC▒PP2\&·1C?F1>F<9F@B%▒BTWJF1/9029#10&QM6▓&JY4W14MM?D1D*J&Q6/8<E4Q*T█0·B/2ZG@0▓ZF*?R░>65KNC▓%9BN8J▒@$HVY&PBZD0HP▓WWX1K3▓SYUY·33PEGGV?CM6░█S·PN8Z\6Y0ZY<M%4NH*T5@B>█VC0<B%JZ█Q&U▒A

9YC▒KS4█▒YRJ@C·1*ER7M/5\▓▒>AYA?50▓64/·?B6CXRDEYK7E▓#&S2<9K64TS%?8PAC██#NBV4>NN927\%29U░Z>J▓X$2P9B55P░G·F%VA&GGF█FD·%S6*6P▒?AND*3*5C>PKJ4T▒5ED>?/3MNA&4V▓3/·/·?▒R/5#4Z$T>\KDWX$9>▒/<XUMJJNSF&4GN9K▓5XM5&\ZTTTZ699@G?8@GN4E▓9&·KR8█7MK*▓·4Q<>MV░8V%>RCYZQ6>5D&X/#XDVASVC$%17BWF?$0#CBH4&8JPE<$*1C$QZ@DG5▓0░BZ▒W▓UYG3H1>6802Y3UU\>/9YC▒KS4█▒YRJ@C·1*ER7M/5\▓▒>AYA?50▓64/·?B6CXRDEYK7E▓#&S2<9K64TS%?8PAC██#NBV4>NN927\%29U░Z>J▓X$2P9B55P░G·F%VA&GGF█FD·%S6*6P▒?AND*3*5C>PKJ4T▒5ED>?/3MNA&4V▓3/·/·?▒R/5#4Z$T>\KDWX$9>▒/<XUMJJNSF&4GN9K▓5XM5&\ZTTTZ699@G?8@GN4E▓9&·KR8█7MK*▓·4Q<>MV░8V%>RCYZQ6>5D&X/#XDVASVC$%17BWF?$0#CBH4&8JPE<$*1C$QZ@DG5▓0░BZ▒W▓UYG3H1>6802Y3UU\>/

Every section of the PDF + verify page explained.

Your audit deliverable has three artefacts. Here's how to use each.

1. The signed PDF

Open from the email or Account → Audits → → Download PDF.

Sections:

Cover — methodology version, audit ID, signing key fingerprint.
Executive Summary — 1-page overview your CTO can paste into a board doc.
Findings — each finding has:
- Severity (Critical / High / Medium / Low / Info)
- Plain-English description
- Code excerpt with line numbers
- Reproducer (Deep Dive only)
- Remediation guidance
Threat Model (Deep Dive only) — narrative analysis of the contract's failure modes.
Methodology Citations — every finding maps back to a section of qortrace-method-v0.2.
Appendix — file inventory, line counts, compiler version detected.

The PDF is signed with our audit signing key. Anyone can verify authenticity by uploading it at /verify.

2. The public `/verify/<id>` page

Share this URL in your README, vendor questionnaires, or marketing collateral. It shows:

The audit overview (verdict, severity counts, methodology version)
Confirmation the PDF hasn't been tampered with
A link to the full PDF
An anonymised view-counter (helps you measure trust signals)

It does not show your source code or anything beyond what's already in the PDF.

3. The embeddable certificate SVG / PNG

A drop-in badge for your README or website. Choose between:

Compact pill (60×24 px) — sits next to your CI badges
Full card (560×320 px) — banner for marketing pages
Watermarked vs clean — pick on the audit detail page

Both formats are dynamically rendered from /api/audits/{id}/badge.svg so they always reflect the latest version.

How to act on findings

Severity ladder:

Critical → Fix before any deployment. We won't sign Deep Dive reports if Criticals remain unaddressed.
High → Fix in the same sprint. Document any wontfix decisions.
Medium → Track in your backlog, fix within a quarter.
Low / Info → Polish; not blocking.

Each finding includes a recommended fix. If our suggestion conflicts with your design, document the rationale in your repo — auditors love seeing that thought process.

Reading your audit report

1. The signed PDF

2. The public /verify/<id> page

3. The embeddable certificate SVG / PNG

How to act on findings

2. The public `/verify/<id>` page