View Source

Software Licensing Certificates
- Self-Assessed Dependencies [Quick Guide & Checklist] [Detailed Guide]
- Verified Dependencies [Quick Guide & Checklist] [Detailed Guide]
- Verified Software Licence [Quick Guide & Checklist] [Detailed Guide]
- Software Licence Assurance [Quick Guide & Checklist] [Detailed Guide]
Comparison Table
Using Issued Certificates

This certificate verifies that a software project in active development has identified and internally assessed all direct dependencies and other third-party intellectual property for licence compatibility and critical vulnerabilities. It represents an initial stage of licence governance and compliance, achieved through internal verification.

It does not replace the analysis of transitive dependencies, the selection of the project’s own licence, or imply distribution rights.

It requires your team to self-evaluate key points about dependencies, licences, and security.

You may use this document as a checklist template for your project’s certification process.

Initial Steps

Requirements

Document all directly used external libraries and code (an internal list is mandatory, and it may be made public).
Document licences of these libraries and code (in the same list).
Confirm that all direct dependencies are under valid open source or proprietary licences.
Ensure that all these licences are mutually compatible.
Review each direct dependency for known critical vulnerabilities (you can use the GÉANT-provided SCA and review services, or CVE or NIST databases), and capture vulnerability details in a SCA report or internal document.
Manually review all other third-party intellectual property, including source code, components, content, designs, models, and similar assets (may be recorded in the NOTICE file).
Record information on direct dependencies and third-party IP (name, version, licence) in a README, NOTICE, or in an internal document.
Register the project in the GÉANT Software Catalogue.

Certification Process

Inform the Licence Management Team that your project meets the certificate requirements.

Reference the certificate in your documentation, metadata, project page, or communications.

See Contact Us for information on how to communicate with the Licence Management Team.

Artefacts

Internal list of direct dependencies, their licences, and vulnerabilities, available upon request

Consider producing public artefacts based on available templates:

README – Optional, but useful to capture basic information about the software early; it is the starting point for documented and licensed software
NOTICE – Optional, but required if legal notices or attributions for third-party components are mandated by dependency licences

Governance

Upon approval, your project will receive the Self-Assessed Dependencies Certificate, visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

Keep dependency, licence, and vulnerability data up to date. Review new or changed dependencies and monitor for newly discovered vulnerabilities or licence conflicts.

The certificate is valid for five years, covering all released versions within that period, provided issues are promptly addressed.

Reassess and submit a renewal request before the five-year validity ends, or sooner if there are significant changes (e.g., component replacement under a different licence, or inclusion of new components).

Additional Information

Further details are available in the Detailed Guide: Self-Assessed Dependencies Certificate.