Docs

End-to-end walkthrough of a QorTrace audit: triage, engineer assignment, review phases, draft, finalization, certificate publication.

This walkthrough applies to both Standard ($4,900 / 5–7 business days) and Deep Dive (from $24,000 / scoped by SOW). Differences are flagged inline.

1. Submit (you · ~2 minutes)

You provide one of:

  • A GitHub URL — public or via OAuth on a private branch with reviewer access for the QorTrace engineer.
  • A ZIP upload (≤ 5 MB).
  • A raw source paste (≤ 250 KB single file).

Supported languages: Solidity, Move, Rust (Anchor / Solana programs), Cairo. Other languages on Deep Dive only.

You also tell us:

  • Contract / system name.
  • Deployment target (chain, network, intended audience).
  • Known risk areas you want us to focus on.
  • Any prior audits (we cross-reference).

2. Triage (us · 4 business hours for Standard, 1 business day for Deep Dive)

A QorTrace engineer:

  • Confirms the scope matches your plan / credit.
  • Asks for any missing context (test suite, threat model).
  • For Deep Dive: kicks off a 30-min scoping call.

You get an email confirming your engagement is in queue with an expected delivery date.

3. Engineer assignment (us · same day as triage)

Your audit is pinned to a named engineer (the auditor-of-record). Their public bio page is linked in your engagement record. For Deep Dive, you also get a lead engineer + an internal reviewer.

The engineer's identity ends up on the final certificate so the audit is non-anonymous.

4. Review phase (us · 3–4 business days Standard / 1–4 weeks Deep Dive)

The engineer runs:

  • Slither + Mythril static analysis.
  • Our PQC-cipher linter (open-source roadmapped, currently internal).
  • The QorTrace methodology checklist v3.2 (full rubric below).
  • Manual review — line-by-line for critical paths.

Findings are graded Critical / High / Medium / Low / Informational per the QorTrace rubric.

5. Draft report (us · day 5 Standard / pre-final-week Deep Dive)

You receive:

  • The full PDF report.
  • A machine-readable JSON of findings.
  • A 1-on-1 walk-through option (included in Deep Dive, $300 add-on for Standard).

You have 2 business days to:

  • Contest false positives in writing.
  • Flag scope gaps.
  • Apply patches you'd like re-reviewed.

The engineer responds in writing within 1 business day.

6. Final report & certificate

Once draft is signed off:

  • Final PDF + JSON delivered.
  • A public verification certificate is published at qortrace.com/labs/verify/<cert-id>.
  • The certificate carries: QorTrace logo, engineer name, methodology version, SHA-256 of the report payload.
  • The cert page is shareable on LinkedIn with a pre-baked OG image.

7. Trust Center (auto)

The certificate is auto-posted to your Trust Center at qortrace.com/trust/<your-slug>. Anyone you share that URL with — regulators, procurement, investors — sees the cert + your full QorTrace history.

SLAs at a glance

StepStandardDeep Dive
Triage4 business hours1 business day
Engineer assignedsame day as triagesame day as triage
Draft deliveredday 5mid-engagement
Final deliveredday 7per SOW (2–6 weeks)

Refunds during the lifecycle

  • Refundable up to engineer assignment.
  • Non-refundable after triage (engineer time consumed).
  • See the refunds doc for full policy.