Policy for major / minor methodology bumps, deprecation timelines, and how old certificates remain valid.
QorTrace's audit + scan methodology evolves as PQC standards firm up and as we learn from the field. We version it so old certificates remain interpretable forever, and so customers know in advance when to expect a change.
Current version
v3.2 — effective 2026-04-01. Full rubric archived at
/docs/labs/methodology/v3.2.
Versioning rules
- Patch bump (v3.2 → v3.2.1) — typo / clarification. No customer notice. Old certificates remain comparable.
- Minor bump (v3.2 → v3.3) — new finding category, expanded rubric. 30-day customer notice + release notes. Old certificates remain comparable.
- Major bump (v3 → v4) — score formula change, tier redefinition,
or breaking change to certificate schema. **60-day customer notice
- a comment window.**
How old certificates stay valid
Every certificate ID encodes the methodology version it was scored
against. The public verification page at /labs/verify/<cert-id>
shows that version, links to the archived rubric, and computes the
SHA-256 of the report payload so anyone can independently verify
integrity.
If a customer wants their old audit re-scored against the current methodology, we offer that as a fixed-price refresh ($1,500 for Standard, scoped for Deep Dive).
Public archive
Every version we've ever shipped is permanently available:
/docs/labs/methodology/v3.2(current)/docs/labs/methodology/v3.1/docs/labs/methodology/v3.0/docs/labs/methodology/v2.x
Deprecated versions are still readable forever; they just stop being the default for new audits.