CertScoreOpen Letter to EC-Council: Request for Programmatic Credential Verification API
From: V2C Inc (501(c)(3) Nonprofit), Rajat Ravinder Varuni, Founder
To: EC-Council, Engineering & Partnerships Team
Date: February 17, 2026
Re: Request for a Programmatic Verification API for ASPEN
Dear EC-Council Engineering and Partnerships Team,
I am writing on behalf of V2C Inc, a 501(c)(3) nonprofit organization, regarding our platform CertScore (certscore.org), a professional credential verification and ranking platform that integrates with major certification providers to help professionals showcase and prove their expertise.
The Issue
CertScore currently integrates with Credly, Accredible, and EC-Council ASPEN for credential verification. We have identified a significant gap in EC-Council's ASPEN verification system that directly disadvantages EC-Council credential holders compared to holders of certifications from other providers.
The core problem: EC-Council's ASPEN system provides no mechanism for a credential holder to programmatically prove ownership of their certification to a third-party platform.
As a result, CertScore is forced to classify all EC-Council credentials (CEH, CCISO, CND, ECSA, CHFI, CPENT, LPT, CSCU, etc.) as "self-reported," a lower trust tier that awards zero points toward a user's CertScore ranking. Meanwhile, credentials from Credly and Accredible achieve "verified" status with full points, because those providers offer a way for third-party platforms to confirm ownership.
This means an EC-Council Certified Ethical Hacker (CEH), one of the most respected certifications in cybersecurity, carries less trust weight on our platform than a Credly-issued badge, purely because of this technical limitation.
What Other Providers Do
Credly and Accredible
Both Credly and Accredible provide third-party platforms with a way to confirm that a credential actually belongs to the person claiming it, without ever exposing the holder's email address or any other personal data. This means a platform like CertScore can verify ownership on behalf of the user in a way that respects privacy and cannot be faked by someone who simply knows the badge URL.
What EC-Council ASPEN Currently Provides
We have conducted a thorough technical audit of EC-Council's ASPEN platform. Here is what we found:
ASPEN Verification Page
The verification page at aspen.eccouncil.org/verify provides a lookup form accepting two fields: Candidate Name and Certification Number. The form returns a server-rendered HTML page displaying the holder name, certification name and number, issue and expiry dates, and a "Verified" status label. There is no structured data, no JSON output, and no machine-readable response.
Capability Comparison
| Capability | Credly | Accredible | EC-Council ASPEN |
|---|---|---|---|
| JSON API endpoint | Yes | Yes | No |
| Machine-readable verification data | Yes | Yes | No (HTML only) |
| Third-party ownership verification | Yes | Yes | No |
| Privacy-preserving holder identifier | Yes | Yes | No |
The Consequence: HTML Scraping
Because ASPEN exposes only server-rendered HTML with no structured data output, CertScore is forced to fetch the raw HTML, parse the DOM, and compare names. This approach is fragile (any HTML change breaks it), unverifiable (name matching cannot prove ownership), and unfair to EC-Council holders who receive zero points while equivalent credentials from other providers receive 50 to 150 points.
CertScore Verification Status Breakdown
Ownership confirmed through the issuing platform.
Name match only. All EC-Council credentials are locked here.
Identity mismatch. The name on the credential does not match the user's profile.
EC-Council Certification Scoring Impact
| Certification | Tier | Points (if verified) | Points (current) |
|---|---|---|---|
| CEH (Certified Ethical Hacker) | Professional | 100 | 0 |
| CCISO (Chief Information Security Officer) | Professional | 100 | 0 |
| CHFI (Computer Hacking Forensic Investigator) | Professional | 100 | 0 |
| CPENT (Certified Penetration Testing Professional) | Professional | 100 | 0 |
| LPT (Licensed Penetration Tester) | Expert | 150 | 0 |
| CND (Certified Network Defender) | Professional | 100 | 0 |
| ECSA (EC-Council Certified Security Analyst) | Professional | 100 | 0 |
| CSCU (Certified Secure Computer User) | Associate | 50 | 0 |
What We Are Requesting
We respectfully request that EC-Council implement one or more of the following, listed in order of implementation simplicity:
Option A: OAuth Verification Flow
Allow credential holders to authorize third-party platforms via OAuth 2.0. The holder logs into their EC-Council account and grants read access to their certifications. This provides the strongest verification and the best user experience.
Option B: Verification Code System
Issue a unique, time-limited verification code to each credential holder via their registered email. The holder enters this code on CertScore, and we validate it against EC-Council's system. This requires only a code generation endpoint and a validation endpoint.
Option C: Any Programmatic Verification API
Any JSON API that allows a third-party platform to confirm that a given credential belongs to a given person, without exposing personal data, would solve this problem. We are happy to work with EC-Council on whatever approach fits best with ASPEN's architecture.
The Impact
EC-Council certifications are among the most prestigious in cybersecurity. The CEH alone is held by over 250,000 professionals worldwide. By not providing a verification API, EC-Council is inadvertently:
- Reducing trust in EC-Council credentials on third-party platforms. Any platform that integrates with both Credly and EC-Council will face the same verification gap.
- Disadvantaging EC-Council holders. A professional with both a CEH and a Credly-issued AWS Security Specialty will see their AWS cert verified and scored, while their CEH sits at zero points.
- Limiting discoverability. On CertScore's leaderboard, self-reported credentials rank lower. EC-Council holders are structurally penalized through no fault of their own.
- Falling behind industry standards. Other major credential providers already support programmatic third-party verification. EC-Council's absence is increasingly notable.
We have published a full transparency page explaining our verification methodology at certscore.org/transparency.
About CertScore and V2C
- CertScore (certscore.org) is a free, open platform for professionals to verify, showcase, and rank their professional certifications
- V2C Inc (v2c.org) is a 501(c)(3) nonprofit organization focused on workforce development and technology accessibility
- We have no commercial interest in favoring any provider. Our goal is accurate, fair verification for all credentials
- Our verification infrastructure is monitored 24/7, instrumented with error tracking, and operates on Supabase + Cloudflare
Next Steps
We would welcome the opportunity to discuss this further with EC-Council's engineering or partnerships team. We are prepared to:
- Discuss detailed technical requirements for any of the above options
- Test and validate any API endpoint in a staging environment before production rollout
- Collaborate on a pilot program for CertScore + EC-Council integration
- Co-author a joint announcement if EC-Council adds programmatic verification support
Please reach out to us at [email protected].
Thank you for your time and consideration. EC-Council certifications deserve the same level of trust and verifiability that the industry's other leading providers already offer.
V2C Inc is a 501(c)(3) tax-exempt nonprofit organization (EIN: 33-3915449). CertScore is a V2C project.