How QorTrace scores onchain projects and what makes our methodology auditable.
QorTrace's full methodology is published at /methodology and stamped against immutable version IDs (currently qortrace-method-v0.2). This page is a quick orientation.
Why we publish this
Audit findings are only as credible as the methodology behind them. We publish ours in full so that:
Reviewers can reproduce our scores — every finding cites a section of the methodology.
Auditors can cite a specific revision in their workpapers.
Future agents can run regressions against the same scoring engine to detect drift.
What's covered
Threat model — Shor/Grover, but also HNDL, KMS/HSM inventory, PKI inventory, vendor supply chain, regulatory windows.
Scoring engine — separate formulas per chain family (Bitcoin, EVM, Solana).
Detector inventory — 9 baseline Solidity detectors with example trigger snippets.
Compliance alignment — NIST FIPS 203/204/205, NSA CNSA 2.0, ISO 27001, SOC 2, FFIEC, ENISA, EU DORA.
Reproducibility
Every audit report is stamped with the methodology version it was scored under. Future bumps don't retroactively re-score old reports.
Cookies & privacy
We use strictly-necessary cookies to run the app. With your consent we also use analytics cookies to understand how QorTrace is used so we can improve it. Cookie Policy · Privacy Policy
