Editorial methodology

How public scans work

Each entry under /scans/<owner>/<repo> is the result of running pqc-audit against an open-source repository at a specific commit. The scanner is regex-based, fast, and deliberately narrow — it finds calls into known asymmetric-cryptography APIs (RSA, ECDSA, ECDH, Ed25519, X25519, DSA, DH) plus a handful of Grover-weakened symmetric primitives (AES-128, MD5, SHA-1).

Cohort selection

Every scan in the public corpus belongs to a named cohort: a documented, reproducible list of repositories. We currently track:

• seed-2026q2 — hand-picked repositories used to validate the pipeline.
• npm-top-1k-2026q2 — the top 1,000 npm packages by weekly download count, snapshotted on a published date.
• pypi-top-1k-2026q2 — the equivalent for PyPI.
• github-stars-10k-2026q2 — public GitHub repositories with more than 10,000 stars.

Cohort lists are committed to git. If a project is in the corpus, its membership and rank are auditable.

What the scanner detects

The ruleset is in src/lib/pqc-scanner.ts (browser/Worker port) and tools/pqc-audit/src/pqc_audit/scanner.py (CLI). Every pattern names its source file, language family, and the primitive class it identifies. Examples:

• Python: cryptography.hazmat, pycryptodome imports.
• JavaScript / Node: crypto.generateKeyPair("rsa" | "ec" | "ed25519"), WebCrypto {name: "RSA-OAEP"}.
• Go: crypto/rsa, crypto/ecdsa, elliptic.P256().
• Rust: use rsa::, use p256::, ed25519-dalek dep.
• Java: KeyPairGenerator.getInstance("RSA"|"EC"|...), BouncyCastle.
• C/C++: <openssl/rsa.h>, EVP_PKEY_RSA, NID_X25519.
• PEM headers: -----BEGIN RSA PRIVATE KEY-----, EC PRIVATE KEY.

What the scanner deliberately misses

• AST / dataflow analysis. A regex match flags presence, not actual runtime use. A vendored test fixture and a production codepath both produce a finding.
• Indirect dependencies. If a library uses RSA internally and your code only imports the library wrapper, we don't see it. CBOM ingestion (planned) closes this gap.
• Binary / compiled code. Source-only at v0. Container and binary scanning (CBOMkit-theia parity) is on the roadmap.
• Negative results. "No findings" means no patterns matched on the scanned file extensions; it does not mean the project is post-quantum.

How findings are framed

Every finding is informational. RSA-2048 and P-256 are still secure as of 2026. The risk model is harvest-now-decrypt-later: encrypted traffic captured today could be decrypted once a cryptographically relevant quantum computer exists. NIST IR 8547 deprecates RSA-2048 / P-256 in 2030 and disallows them in 2035.

We never characterize a project as "vulnerable" or "broken" on the basis of a pre-quantum primitive alone. We name the primitive, the location, and the NIST-aligned migration target (ML-KEM-768 / ML-DSA-65), and we link to the project's GitHub source.

Maintainer policy

• Findings are public from the moment they are scanned. No embargoed window for "responsible disclosure" — these are not vulnerabilities.
• Before any aggregate report names a project among "top offenders," its maintainers are emailed 14 days in advance with their own scan + a chance to comment, correct, or opt out of the headline framing. Opt-outs are published as such; we don't punish them.
• If a maintainer believes a finding is a false positive (test fixture, vendored code, etc.), they can email us a one-line correction and we'll flag the finding accordingly. The correction is public.

Editorial firewall

A project being in the public-scan corpus has no relationship to whether its organization sponsors Quantum Outpost or pays for any pqc-audit tier. Editorial decisions about what to scan, what to publish, and what to feature are made independent of any commercial relationship — the policy lives at /independence.

Storage and privacy

• We store: repository metadata (name, stars, language, topics), commit SHA, finding location (file path + line), the matched pattern, and a ≤240-character excerpt of the matched line.
• We do not store: cloned source code beyond the scanner run, file contents outside excerpts, contributor identifiers, issue or PR bodies, or any private repository data.
• Cloned repositories are deleted immediately after scanning.

Reproducibility

The scanner version is recorded on every scan row. The commit SHA is recorded. The cohort name and date are recorded. Anyone can run pqc-audit scan ./local-checkout against the same commit and reproduce the finding count to within the documented tolerance for transient generated files (e.g., a build step that emits temporary .pem fixtures).

Get in touch

Maintainer corrections, false-positive reports, and removal requests: [email protected].