FLORIDA, March 30, 2026 — For Immediate Release
H33 Cryptographic Systems, Inc. today announced HICS (H33 Independent Code Scoring), a free software quality scoring tool that evaluates codebases locally and produces cryptographically verifiable attestations using STARK zero-knowledge proofs and Dilithium post-quantum digital signatures. HICS is available immediately at no cost, with no account required, and no source code ever leaves the developer's machine.
"SonarQube tells you what it found. Semgrep tells you what it found. Neither of them can prove what they found is real, that nobody tampered with the results, or that the scan even ran. HICS produces a score, then mathematically proves the score is correct. That's the difference between a report and a fact."
HICS is free for every developer on every codebase, forever. Install and run in two commands:
brew install h33/tap/hics && hics scan .
No cloud upload. No account creation. No telemetry. No usage limits. The scan runs entirely on the developer's machine. The results stay on the developer's machine. H33 never sees the code, the findings, or the score. This is a fundamental architectural choice, not a trial limitation.
The software security ecosystem already includes static analysis (SonarQube, Semgrep, CodeQL), software composition analysis for dependencies (Snyk, Mend, Dependabot), SBOM generation (CycloneDX, SPDX), binary scanning (Black Duck), formal verification tools, and paid third-party code audits. HICS does not replace these tools. It solves a problem none of them address: provable, tamper-proof, third-party-verifiable scoring.
Static analysis tools (SonarQube, Semgrep) scan code and produce reports. The reports are files. Files can be edited, redacted, or fabricated. A vendor can run SonarQube, get 47 critical findings, fix the report to show zero, and send it to a buyer. The buyer has no way to verify the report wasn't altered. HICS scores are sealed with a STARK proof and a Dilithium signature. Altering a single finding invalidates the proof. Mathematically.
SCA and SBOM tools (Snyk, CycloneDX) analyze dependencies, not code quality. An SBOM tells you what libraries are in the build. It doesn't tell you if the application code handles secrets correctly, implements rate limiting, or uses post-quantum cryptography. HICS evaluates the code itself across five dimensions that dependency lists can't capture.
Paid third-party audits (NCC Group, Trail of Bits, Cure53) are the gold standard for deep security review. They are also $50,000–$500,000 per engagement, take weeks to months, and produce a PDF that is also just a file. HICS is not a replacement for expert human review. It is a continuous, automated, cryptographically attested baseline that runs on every commit, not once a year.
Formal verification (Kani, CBMC, Coq) proves specific properties about specific functions. It does not produce an overall quality score, does not assess operational practices, and is applicable only to codebases written in supported languages. HICS complements formal verification by providing the macro-level assessment that formal methods are too granular to address.
No existing tool produces output that a third party can independently verify without trusting the vendor. That is what HICS does.
For enterprises requiring verifiable proof, HICS generates a .h33 certificate
containing four cryptographic artifacts:
The free scan gives developers their score. The paid attestation gives enterprises a mathematically verified certificate they can share with buyers, auditors, and regulators. The score without the proof is a claim. The score with the proof is a fact.
Before making HICS publicly available, H33 ran the algorithm against its own production codebase — 478 files, 294,200 lines of Rust. The initial score was 70 out of 100 (Grade C). H33 published the findings, the specific deductions, and the remediation plan in a public blog post titled "We Scored a C."
Over the following 24 hours, H33 fixed every finding and achieved a score of 100 out of 100 (Grade A). The algorithm was not modified to achieve this result. The code was. Both the original and final scores remain publicly accessible at h33.ai/blog.
Alongside HICS, H33 is launching HICS-PQ, a specialized attestation program for individual post-quantum cryptographic implementations. HICS-PQ evaluates libraries across four dimensions: Correctness (NIST Known Answer Test vector compliance, round-trip integrity), Security (constant-time execution, side-channel resistance), Performance (latency benchmarks, throughput), and Standards Compliance (FIPS 203/204/206 alignment, interoperability).
Each H33 post-quantum library — Dilithium ML-DSA-65, Kyber ML-KEM-768, FALCON-512, SPHINCS+ SLH-DSA, and three FHE engines (BFV, CKKS, BGV) — carries a publicly verifiable HICS-PQ attestation at h33.ai/pq. Attestations update automatically on every release. No other post-quantum cryptography vendor publishes per-library KAT compliance results with STARK attestation and timestamps.
Vendors who earn a HICS attestation receive an embeddable verification badge — a live cryptographic check, not a static image. When a buyer clicks the badge, five verification checks run in real time: Proof ID existence, STARK proof validity, Dilithium signature validation, Merkle root integrity, and certificate freshness. If any check fails, the badge indicates failure with a specific reason. H33 is the first company to display the badge, linking to its verified 100/100 score at h33.ai/verify.
The HICS scoring formula — category definitions, weights, grade thresholds, finding type specifications, and the confidence-weighting methodology — is published openly and available for public audit. The implementation (tree-sitter AST scanners, STARK proof generation, Dilithium signing infrastructure) is proprietary. This mirrors established models in credit scoring and financial rating: the methodology is transparent, the technology is licensed.
brew install h33/tap/hicsHICS is available immediately at no cost. The CLI, verification page, HICS-PQ library attestations, scoring methodology, and all supporting documentation are live at h33.ai.
H33 is a post-quantum authentication infrastructure company. H33 combines Fully Homomorphic Encryption (FHE), STARK zero-knowledge proofs, and NIST-standardized post-quantum signatures (Dilithium, Kyber, FALCON) in a single API call. The platform processes 2.17 million authentications per second at 38.5 microseconds per auth with zero data exposure. H33 holds 134 patent claims pending. The company is SOC 2 compliant via Drata and HIPAA compliant. H33's technology is built entirely in Rust with zero external cryptographic dependencies.
For more information, visit h33.ai.
Media Contact
H33 Cryptographic Systems, Inc.
press@h33.ai
h33.ai