Verifying an audit certificate

H░?88█7MH04N\K*█%&BU66GP$/S0$3Y░▒UB2QK7<RQC>/K%&/J9N4GRRK&W▒%59X\RYQJ&*7FD*W8<1Y552ZCY&P░░$>KXC%BMM\7MC5*%N/4·2J░#QK▓9█N1ZR·Q\*█▒YFKS█E0▓W░<NMJJ▒▒>PCK#E>VJ?WQ░W&&5PH\$?E18$█T2?KF8*▓/H█1ZJM░1AKZ*4V1TKR4J/?2/B93GEAP<84GF7·FZ?\TAV?&2G/>1G9SUMKH27PR<4H@7@░EF░32FD@4U9W$KV#RKX▒%TGA@█░Q$8>S3M4Z1MPCW4FX7XB%Q&ZNNU/V▓9$RXESF21▒$H░?88█7MH04N\K*█%&BU66GP$/S0$3Y░▒UB2QK7<RQC>/K%&/J9N4GRRK&W▒%59X\RYQJ&*7FD*W8<1Y552ZCY&P░░$>KXC%BMM\7MC5*%N/4·2J░#QK▓9█N1ZR·Q\*█▒YFKS█E0▓W░<NMJJ▒▒>PCK#E>VJ?WQ░W&&5PH\$?E18$█T2?KF8*▓/H█1ZJM░1AKZ*4V1TKR4J/?2/B93GEAP<84GF7·FZ?\TAV?&2G/>1G9SUMKH27PR<4H@7@░EF░32FD@4U9W$KV#RKX▒%TGA@█░Q$8>S3M4Z1MPCW4FX7XB%Q&ZNNU/V▓9$RXESF21▒$

9EB6JVGX@X6UW░Y43VY7/▓863V<MTG4VUTZ&?48W9*ZWM@%VGYX@F░EJ▓#//3▒HJ#4KZ3CDZ6EW/S*T*&669133S>X7NX9·09?H4Y█EXC%0YY0A\91QZYM7T1&6>GQ·?AW·▒W74RKG$$7ME\UUD@>/C?4DE$0▓?NP1<█\W%Y>#CJ39>8\>FXZREX$N█$V*X░EF<HCHF$#█YX/▒░S*P*>1▓▓▒ERYVA4▒A<AT\53EFG&▓3PVYKY▒XHW9FS▓SCF▓7E█XGAB\J▓2Y&A/EY*HUPX<9KK▒·5SG░Z░Q6W57&%B▒RAJFHBZ#8&?YC9HFE·GV#█T%9EB6JVGX@X6UW░Y43VY7/▓863V<MTG4VUTZ&?48W9*ZWM@%VGYX@F░EJ▓#//3▒HJ#4KZ3CDZ6EW/S*T*&669133S>X7NX9·09?H4Y█EXC%0YY0A\91QZYM7T1&6>GQ·?AW·▒W74RKG$$7ME\UUD@>/C?4DE$0▓?NP1<█\W%Y>#CJ39>8\>FXZREX$N█$V*X░EF<HCHF$#█YX/▒░S*P*>1▓▓▒ERYVA4▒A<AT\53EFG&▓3PVYKY▒XHW9FS▓SCF▓7E█XGAB\J▓2Y&A/EY*HUPX<9KK▒·5SG░Z░Q6W57&%B▒RAJFHBZ#8&?YC9HFE·GV#█T%

How third parties (your customers, regulators) confirm a QorTrace audit is genuine.

Every QorTrace audit is publicly verifiable without revealing your source code. Here's how.

For your customers / partners

Send them either:

The verify URL: https://qortrace.com/verify/<audit_id>
The audit ID alone — they can paste it at /verify

They'll see:

Subject — what was audited (contract name + chain)
Tier — Standard / Deep Dive
Methodology version — qortrace-method-v0.2 or later
Verdict — Pass / Pass with caveats / Fail
Severity counts — Critical / High / Medium / Low
Signed PDF link — they can download and re-verify
Last verified — anyone can hit the page; we log anonymised view counts

They will not see:

Your source code
Your repo URL
Your account email
The full text of any finding (only severity counts)

For compliance reviewers (SOC 2, ISO 27001, DORA)

Generate a methodology receipt PDF:

CODE

https://qortrace.com/methodology/receipt/<audit_id>

It includes:

Audit metadata (subject, tier, date, version)
Methodology version cited section-by-section
Compliance alignment statements (FIPS 203/204/205, CNSA 2.0, DORA, etc.)
A hash chain — every receipt links to the next, so reviewers can confirm none have been omitted
A signature they can verify against our public Ed25519 audit-signing key (published at /security)

For everyone — verifying a PDF you've been handed

Got a QorTrace PDF from a third party and want to confirm it wasn't tampered with?

Visit /verify
Drag-and-drop the PDF
We hash it and check the signature against the original audit_id on file

Common results:

✅ Verified — PDF matches what we issued.
⚠️ Modified — PDF differs from what we issued (e.g. someone added a watermark or stripped a page). The audit IS still genuine, but they've edited the artefact.
❌ Unknown — we have no record of this audit. Either the ID is wrong or it's a forgery.

Public registry

Every audit is queryable at /api/public/audits/{id} (no auth needed) — useful for building your own verification UIs. The response is the same data as the verify page in JSON form.

Revocation (rare)

In the unlikely event we revoke an audit (e.g. a supplied source was misrepresented), the verify page shows a ❌ Revoked banner with the reason. The PDF signature still verifies (PDFs are immutable) but the audit's standing is publicly null. We've revoked exactly 0 audits as of writing.

Bulk verification

For procurement teams that need to verify dozens of vendor audits, hit /api/public/audits/bulk-verify with a JSON array of IDs. You get a single response with all verdicts. No auth required.