Reading your audit report

M7S3W░C▓DU3▒<%GFB3<0#&DB\X\N>0#N60AW█/1▓G#@M/S&UF▒D3<%?E0EEUJ2<J5BY88RG7HJJ▒\▒░4>$2HNR▓U63H42CWS6@M3JVR█Y?█XH7/Y/G▓H6·GP%>░DVH▓4#KW\?@·%RN1$M6ZEU9$V?H&H▒XTMFB█7@3?N*W3VQAU▓?5&Q▓40*5░9FJ▓\G█░@░*05H9▒4&YEBBX62019%PAN·░·▒9NYPAN*3░N█*P%U*%>JJPX8K#G7Y0R9T/YY▓NJM19/Q@░S4V431T·8█VA12#548K>SQ?J▒40D0852▒<▓S░8AKKP11>/W·7@4ZFJ░KGM7S3W░C▓DU3▒<%GFB3<0#&DB\X\N>0#N60AW█/1▓G#@M/S&UF▒D3<%?E0EEUJ2<J5BY88RG7HJJ▒\▒░4>$2HNR▓U63H42CWS6@M3JVR█Y?█XH7/Y/G▓H6·GP%>░DVH▓4#KW\?@·%RN1$M6ZEU9$V?H&H▒XTMFB█7@3?N*W3VQAU▓?5&Q▓40*5░9FJ▓\G█░@░*05H9▒4&YEBBX62019%PAN·░·▒9NYPAN*3░N█*P%U*%>JJPX8K#G7Y0R9T/YY▓NJM19/Q@░S4V431T·8█VA12#548K>SQ?J▒40D0852▒<▓S░8AKKP11>/W·7@4ZFJ░KG

0100010010100110011111011101100100011100011001010111010100111010011100011110000000100101101101101110111111001111001110010110011001001010100000010111000001000001000111111111101000010100100110011100011010011011101001110110100001000111011111011101110101110111101100011000101100010010000010000111101110101000000001100011100101000100101001100111110111011001000111000110010101110101001110100111000111100000001001011011011011101111110011110011100101100110010010101000000101110000010000010001111111111010000101001001100111000110100110111010011101101000010001110111110111011101011101111011000110001011000100100000100001111011101010000000011000111001

Every section of the PDF + verify page explained.

Your audit deliverable has three artefacts. Here's how to use each.

1. The signed PDF

Open from the email or Account → Audits → → Download PDF.

Sections:

Cover — methodology version, audit ID, signing key fingerprint.
Executive Summary — 1-page overview your CTO can paste into a board doc.
Findings — each finding has:
- Severity (Critical / High / Medium / Low / Info)
- Plain-English description
- Code excerpt with line numbers
- Reproducer (Deep Dive only)
- Remediation guidance
Threat Model (Deep Dive only) — narrative analysis of the contract's failure modes.
Methodology Citations — every finding maps back to a section of qortrace-method-v0.2.
Appendix — file inventory, line counts, compiler version detected.

The PDF is signed with our audit signing key. Anyone can verify authenticity by uploading it at /verify.

2. The public `/verify/<id>` page

Share this URL in your README, vendor questionnaires, or marketing collateral. It shows:

The audit overview (verdict, severity counts, methodology version)
Confirmation the PDF hasn't been tampered with
A link to the full PDF
An anonymised view-counter (helps you measure trust signals)

It does not show your source code or anything beyond what's already in the PDF.

3. The embeddable certificate SVG / PNG

A drop-in badge for your README or website. Choose between:

Compact pill (60×24 px) — sits next to your CI badges
Full card (560×320 px) — banner for marketing pages
Watermarked vs clean — pick on the audit detail page

Both formats are dynamically rendered from /api/audits/{id}/badge.svg so they always reflect the latest version.

How to act on findings

Severity ladder:

Critical → Fix before any deployment. We won't sign Deep Dive reports if Criticals remain unaddressed.
High → Fix in the same sprint. Document any wontfix decisions.
Medium → Track in your backlog, fix within a quarter.
Low / Info → Polish; not blocking.

Each finding includes a recommended fix. If our suggestion conflicts with your design, document the rationale in your repo — auditors love seeing that thought process.

Reading your audit report

1. The signed PDF

2. The public /verify/<id> page

3. The embeddable certificate SVG / PNG

How to act on findings

2. The public `/verify/<id>` page