You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

This certificate confirms that your project integrates mature, sustainable, and traceable licensing and dependency management into its software development and delivery lifecycle. It applies to actively maintained, publicly or purposefully distributed software under consistent governance.

The certificate may cover a single software project or a group of products under unified ownership and management. It remains valid indefinitely, provided certified practices are maintained, and biennial audits are passed.

It is recommended to obtain Verified Software Licence Certificate before applying for this one. 

A full specification of software licensing certificates is also available (the document is available for GÉANT participants).

Prerequisites

Ensure your project:

  • Meets all requirements for the Verified Software Licence Certificate for all its software
  • Is actively maintained and publicly or purposefully distributed
  • Has a designated Licence Compliance Officer for oversight
  • Integrates automated licence and dependency scanning and validation with notification into the CI/CD pipeline

Ensure that your development practices include:

  • Integrated compliance tools and monitoring systems
  • Documented dependency management
  • Clear contribution and licensing policies
  • Regular compliance reviews and audits

Step-by-Step Process

Establish Governance and Compliance Policies and Practices

  • Appoint a Licence Compliance Officer responsible for licensing decisions and queries.
  • Establish and enforce governance policies covering:

    • Inbound licences (allowed third-party licences)

    • Outbound licensing (especially where multiple licences apply)

    • Dependency evaluation, approval, and monitoring

    • Contribution terms (e.g. CONTRIBUTING or CLA), and contribution and version management

    • Licence management and conflict remediation

    • Use and maintenance of compliance tools
    • Internal reviews and audits

  • Ensure the team understands and follows these policies.

  • Maintain records of licensing decisions, reviews, audits, findings, corrective actions, and training activities.

Establish and Maintain Compliance Tools

  • Integrate automated scanning for direct and transitive dependencies, licences, vulnerabilities, and artefacts into the CI/CD pipeline for all maintained software versions.
  • Configure alerts and notifications for licence, version, and security issues.
  • Keep compliance rules, scanning configurations, and alert thresholds up to date.

Prepare and Maintain Artefacts and Documentation

Create and maintain the following artefacts and documents, making them available to team members and auditors:

  • Core licensing artefacts: README, LICENSE, COPYRIGHT, and, if applicable, NOTICE, CONTRIBUTING, and CHANGELOG for all included software

  • Up-to-date list of all dependencies with licences and security status

  • Records of compliance decisions, approvals, and reviews

  • Records of known vulnerabilities and their remediation

  • Records of monitoring alerts and responses

  • Records of code testing or review, including external contributions where applicable

  • CI/CD compliance tool rules and configuration files

  • Software Bill of Materials (SBOM) for each software (recommended)

  • Onboarding and training materials for licensing, security, and IPR management

  • Contribution guidelines

Implement Onboarding and Training

  • Provide documented onboarding and training for new and existing team members covering:
    • Compliance tools
    • Licensing practices
    • Identifying, reporting, and addressing licensing, security, and IPR concerns
  • Ensure all contributors follow documented processes and rules.
  • Keep training material up to date.

Conduct and Document Ongoing Compliance

Maintain records on:

  • Approving new dependencies before integration

  • Monitoring licence changes and vulnerabilities in all dependencies

  • Responding to vulnerability and licence alerts
  • Handling contributions
  • Conducted compliance reviews and audits

Submit Request

Send a request to the Licence Management Team, including:

  • Contact details of the Licence Compliance Officer

  • Results of the SLA or equivalent review

  • Access to the code repository for exemplary software, with all relevant artefacts (README, LICENSE, COPYRIGHT, NOTICE, CHANGELOG, etc.)
  • List of all dependencies with licences and security status for exemplary software
  • Results of automated checks, with examples of CI/CD compliance tool rules

  • Governance and compliance policies, including dependency and licence management guidelines

  • Evidence of governance and training activities, such as onboarding materials and contribution guidelines

  • Exemplary records of dependency management and compliance decisions

  • Exemplary records associated with one or several contributions

  • Exemplary records of known vulnerabilities and their remediation

  • Records of compliance reviews and audits

  • Clarifications or supporting notes, if needed

See Contact Us for instructions on communicating with the team.

Respond to Review Feedback

Cooperate with the Licence Management Team to:

  • Provide requested clarifications
  • Demonstrate compliance tool effectiveness
  • Address documentation or process gaps

Use of SCA and SLA services to verify compliance and practice performance may be required.

Use Certificate

Upon approval, your project and associated software will receive the Software Licence Assurance Certificate, which will be visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

You may reference the certificate in your documentation, metadata, project page, or communications. The Licence Management Team will provide guidance on how to do this, and will also provide a review report.

After Certification

Maintain Compliance

To keep the certificate valid:

  • Uphold all compliance procedures and practices continuously, modifying them when needed
  • Keep compliance documentation current
  • Maintain compliance tools and their configurations
  • Monitor for dependency and licence changes, and address any related issues
  • Mark clearly which versions are maintained
  • Maintain up-to-date licensing artefacts and compliance documentation
  • Respond to compliance queries from users, contributors, or the Licence Management Team
  • Conduct internal or external audits at least every two years
  • Address critical review and audit findings promptly
  • Inform the Licence Management Team of any major practice changes

Reviews, Audits, and Responding to Changes

  • A full audit is required at least once every two years.
    • Internal audits can be conducted by your team.
    • External audits may be arranged with or through the Licence Management Team.
  • Spot checks may be initiated after major changes or events.
  • An internal review is required following:
    • Governance or leadership changes
    • Major changes to compliance processes
    • Compliance concerns raised by users

Contact the Licence Management Team proactively when significant changes occur to determine if recertification is needed.

Certificate Validity

The certificate is valid indefinitely, unless revoked.

  • No labels