Versions Compared

Old Version 1

changes.mady.by.user Marcin Wolski

Saved on

compared with

New Version Current

changes.mady.by.user Anđela Arsović

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info
titleSoftware Licensing Certificates Series

This certificate confirms This certificate confirms that your project integrates mature, sustainable, and traceable licensing and dependency management practices into its software development and delivery lifecycle. It applies to actively maintained, publicly or purposefully distributed software under consistent governance. It also confirms readiness for compliant, continuous governance and distribution.

The certificate It may cover a single software project or a group of related software products under unified ownership and management. It The certificate remains valid valid indefinitely, provided certified practices are maintained , and biennial audits are passed.

This certificate builds on the Verified Software LicenceCertificate by adding structured governance, compliance automation, and continuous auditing. It is recommended to obtain the Verified Software Licence Certificate for all included software before applying for this onecertificate. 

A full specification of of software licensing certificates is is also available (the document is available for GÉANT participants).

Prerequisites

Ensure your project:

  • Meets all requirements for the Verified Software Licence Certificate for all its software
  • Is actively maintained and publicly or purposefully distributed
  • Has a designated Licence Compliance Officer for oversight
  • Integrates automated licence and dependency scanning and validation with notification into the CI/CD pipeline

Ensure that your development practices include:

  • Integrated compliance tools and monitoring systems
  • Documented dependency management
  • Clear contribution and licensing policies
  • Regular compliance reviews and audits

Step-by-Step Process

Establish Governance and Compliance Policies and Practices

  • Appoint a Licence Compliance Officer responsible for licensing decisions and queries.
  • Establish and enforce governance policies covering:

    • Inbound licences (allowed third-party licences)

    • Outbound licensing (especially where multiple licences apply)

    • Dependency evaluation, approval, and monitoring

    • Contribution terms (e.g.

    •  

    • CONTRIBUTING or CLA), and contribution and version management

    • Licence management and conflict remediation

    • Use and maintenance of compliance tools
    • Internal reviews and audits

  • Ensure the team understands and follows these policies.

  • Maintain records of licensing decisions, reviews, audits, findings, corrective actions, and training activities.

Establish and Maintain Compliance Tools

  • Integrate automated scanning for direct and transitive dependencies, licences, vulnerabilities, and artefacts into the CI/CD pipeline for all maintained software versions.
  • Configure alerts and notifications for licence, version, and security issues.
    • Keep

  • Ensure compliance rules, scanning configurations, and alert thresholds are maintained and up to date.

Prepare and Maintain Artefacts and Documentation

Create and maintain the following artefacts and documents , making that manage, support, and track licence, dependency, and security governance. Make them available to team members and auditors. Include:

  • Core licensing artefacts:
    •  
  • README, LICENSE, COPYRIGHT, and, if applicable, NOTICE, CONTRIBUTING, and CHANGELOG for all included software
  • Dependency and licence management guidelines
  • SCA tool, licence, and security scan results and reports
  • Up-to-date list of all dependencies with licences and security status

  • Records of compliance decisions, approvals, and reviews

    • Records of
  • Dependency and licence approvals, including exception or waiver records where applicable
  • Minutes or sign-off records from compliance reviews and audits

  • Records tracking known vulnerabilities and their remediation

  • Records of monitoring alerts and responses

    • Records of code

  • Code testing or review records, including those tracking external contributions where applicable

  • CI/CD compliance tool rules and configuration files

  • Software Bill of Materials (SBOM) for each software (recommended)

    • Onboarding
  • Up-to-date onboarding and training materials for team members on licensing, security, and intellectual property rights (IPR) management

  • Contribution guidelines or policies

  • Software Bill of Materials (SBOM) for each software (recommended)

Implement Onboarding and Training

  • Provide documented onboarding and training for new and existing team members covering:
    • Compliance tools
    • Licensing practices
    • Identifying, reporting, and addressing licensing, security, and IPR concerns
  • Ensure all contributors follow documented processes and rules.
  • Keep training
    • material up to date
  • materials current and accessible.

Conduct and Document Ongoing Compliance

Maintain records onfor:

  • Approving new dependencies before integration

  • Monitoring licence changes and vulnerabilities in all dependencies

  • Responding to vulnerability and licence alerts
  • Handling contributions
  • Conducted compliance reviews and audits

Submit Request

Send a request to the Licence Management Team, including:

  • Contact details of the Licence Compliance Officer

  • Results of the SLA or equivalent review for exemplary software

  • Access to the code repository for exemplary software,
    • with
  • including all relevant artefacts (README, LICENSE, COPYRIGHT, NOTICE, CHANGELOG, etc.)
  • List of all dependencies with licences and security status for exemplary software
  • Results of automated checks,
    • with
  • including examples of CI/CD compliance tool rules

  • Governance and compliance policies, including dependency and licence management guidelines

  • Evidence of governance and training activities, such as onboarding materials and contribution guidelines

  • Exemplary records of dependency management and compliance decisions

  • Exemplary records associated with one or several contributions

  • Exemplary records of known vulnerabilities and their remediation

  • Records of compliance reviews and audits

  • Clarifications or supporting notes, if needed

See Refer to Contact Us for instructions on communicating with the team.

...

Cooperate with the Licence Management Team to:

  • Provide requested clarifications
  • Demonstrate compliance tool effectiveness
    • Address
  • Perform remediation if required (e.g. by addressing documentation or process gaps)

Use of SCA and SLA services to verify compliance and practice performance may be required.

...

Upon approval, your project and associated software will receive the Software Licence Assurance Certificate, which will be visible at  visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

You may reference Reference the certificate in your documentation, metadata, project pagepages, or communications. The Licence Management Team will provide guidance on how to do this, and this and will also provide a review report that may help you improve your practices and processes.

After Certification

Maintain Compliance

To keep the certificate valid:

  • Uphold all compliance procedures and practices continuously, modifying them when needed.
  • Keep
    • compliance documentation currentMaintain
  • compliance tools and their configurations
  • Monitor for dependency and licence changes, and address any related issues
  • Mark clearly which versions are maintained
  • Maintain up-to-date licensing artefacts and compliance documentation
    • Respond to compliance
  • up to date.

  • Implement governance, compliance monitoring, and automation measures across all included software.

  • Address identified issues promptly.
  • Clearly mark which software versions are actively maintained.

  • Maintain compliance artefacts, documentation, and data.

  • Respond to queries from users, contributors, or the Licence Management Team.
  • Conduct internal or external audits at least every two years.
  • Address
    • critical
  • review and audit findings
    • promptly
  • .
  • Inform the Licence Management Team of any major practice changes.

Reviews, Audits, and Responding to Changes

  • A

    • full

  • biennial audit is required

    • at least once every two years.
  • Internal audits can be conducted by your team.
    • External audits may be arranged with or through

  • , either as an internal audit by the development team or as an external audit arranged with the Licence Management Team.

  • Spot checks may be initiated after major changes or events.
  • An internal review is required following:
    • Governance or leadership changes
    • Major changes to compliance processes
    • Compliance
    • Serious compliance concerns raised by users

Contact the Licence Management Team proactively when significant changes occur to determine if recertification is needed.

...