Versions Compared

Old Version 1

changes.mady.by.user Marcin Wolski

Saved on

compared with

New Version Current

changes.mady.by.user Anđela Arsović

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info
titleSoftware Licensing Certificates Series

This certificate This certificate builds upon the Verified Software Licence Certificate, and confirms that a project integrates mature, sustainable, and traceable licensing licence and dependency management practices into its software development and delivery lifecycle. It applies to actively maintained, publicly or purposefully distributed software under consistent governance.indicates that licensing and dependency management processes have been implemented, verified, and appropriately documented. It also confirms readiness for compliant, continuous governance and distribution.

It The certificate may cover a single project or a group of related software products under unified ownership and management. It

The certificate remains valid indefinitely, provided certified practices are maintained and biennial audits are passed. It does not cover patents or legal liability, although patent concerns may be addressed during the Software Licence Assurance (SLA) review.

It requires your team to sustain licensing and dependency management practices, maintain compliance artefacts, implement governance and automation measures, document relevant processes, and conduct regular audits.

The certificate builds on the Verified Software Licence Certificate by adding structured governance, compliance automation, and continuous auditing.

You may use this document as a checklist template for your project's certification process.

Initial Steps

Requirements

Closely Related related to the Verified Software Licence Certificate

  •  Meet all Verified Software Licence requirements for each software developed or maintained by under the project
  •  Regularly maintain all artefacts required by the Verified Software Licence Certificate

...

  •  A Licence Compliance Officer is designated, responsible for licensing decisions and queries
  •  

    Governance policies are established and enforced, covering inbound /and outbound licences, dependency management, contributions, conflict resolution, compliance tools, and audits

  •  

    Automated compliance tools are integrated into the CI/CD pipeline, with alerts for licence, version, and security issues

  •  Compliance rules, scanning configurations, and alert thresholds are maintained and up to date
  •  

    Team onboarding and training are implemented, with up-to-date materials available

  •  Development practices related to use of compliance tools, monitoring, and dependency management are documented
  •  

    Contribution guidelines or policies are established and followed

  •  Adequate general or per-software licensing policies are in place
  •  

    Compliance records are maintained for dependency approvals, licensing decisions, contributions, reviews, and known vulnerabilities, and their remediation

  •  Compliance reviews and audits are performed regularly, documented, and tracked with findings and corrective actions

...

  •  Ensure Verified Software Licence compliance for each software included in the project.
  •  

    Send a request to the Licence Management Team, including:

    •  Contact details of the Licence Compliance Officer
    •  

      Results of the SLA or equivalent review for exemplary software

    •  Access to the code repository for exemplary software, with including all relevant artefacts (README, LICENSE, COPYRIGHT, NOTICE, CHANGELOG, etc.)
    •  List of all dependencies with licences and security status for exemplary software
    •  Results of automated checks, with including examples of CI/CD compliance tool rules
    •  

      Governance and compliance policies, including dependency and licence management guidelines

    •  Evidence of governance and training activities, such as onboarding materials and contribution guidelines
    •  

      Exemplary records of dependency management and compliance decisions

    •  Exemplary records associated with one or several contributions
    •  Exemplary records of known vulnerabilities and their remediation
    •  

      Records of compliance reviews and audits

    •  

      Clarifications or supporting notes, if needed

  •  Respond to the Licence Management Team's Team’s feedback by:
    •  Providing requested clarifications
    •  Demonstrating compliance tool effectiveness
    •  Addressing Performing remediation if required (e.g. by addressing documentation or process gaps)
  •  

    Reference the certificate in your documentation, metadata, project page, or communications.

See Contact Us for information on how to communicate with the Licence Management Team.

...

  •  Core licensing artefacts (README, LICENSE, COPYRIGHT, NOTICE, CHANGELOG, etc.) for all included software
  •  Up-to-date onboarding and training materials for new and existing team members on licensing, security, and IPR management
  •  Dependency and licence management guidelines
  •  Dependency and licence approvals, including exception or waiver records where applicable
  •  Contribution guidelines
  •  Code testing or review records, including records those tracking external contributions where applicable
  •  CI/CD compliance tool rules and configuration files
  •  SCA tool, licence, and security scan results and reports
  •  Records of regular dependency management and compliance decisions
  •  Records tracking known vulnerabilities and their remediation
  •  Records of monitoring alerts and responses
  •  Minutes or sign-off records from compliance reviews and audits
  •  Software Bill of Materials (SBOM) for each software (recommended)

...

Upon approval, your project and associated software will receive the Software Licence Assurance Certificate, which will be visible atcertificates.software.geant.org and in the GÉANT Software Catalogue.

Maintain ongoing compliance, governance, automation measures, and licensing compliance and artefacts for each software included in the project.

The Licence Management Team validates issuance , and may occasionally review the certificate status.

A biennial audit is required, either as an internal audit by the development team or as an external audit arranged with the Licence Management Team.

An internal review is required following governance or leadership changes, major changes to compliance processes, or after serious compliance concerns raised by users.

...

Further details are available in the Detailed Guide: Software Licence Assurance Certificate.