View Source

Software Licensing Certificates
- Self-Assessed Dependencies [Quick Guide & Checklist] [Detailed Guide]
- Verified Dependencies [Quick Guide & Checklist] [Detailed Guide]
- Verified Software Licence [Quick Guide & Checklist] [Detailed Guide]
- Software Licence Assurance [Quick Guide & Checklist] [Detailed Guide]
Comparison Table
Using Issued Certificates

This certificate confirms that your software project’s licensing has been reviewed and validated. It indicates that the software licence has been selected, verified for compatibility with all components, and appropriately and transparently declared. It also confirms readiness for compliant release.

The certificate remains valid for future software versions indefinitely, provided they meet certification requirements. It does not cover patents or legal liability, although patent concerns may be addressed during the Software Licence Analysis (SLA) review.

It requires your team to select a licence, internally assess licensing compliance, declare the project licence, and produce necessary artefacts. The process includes internal and SLA reviews, documentation updates, and validation by the GÉANT Licence Management Team.

The certificate builds on the Verified Dependencies Certificate by adding licence selection, SLA review, and approval of artefacts.

You may use this document as a checklist template for your project's certification process.

Initial Steps

Requirements

Aligned with Verified Dependencies Certificate

Document all external libraries and code used in the project (having an internal list is mandatory, and it may be made public).
Document licences of all external libraries and code used in the project (in the same list).
Confirm that all direct and transitive dependencies are under valid open source or proprietary licences.
Ensure that all these licences are mutually compatible, and, additionally, compatible with the software project licence.
Review each dependency for known critical security vulnerabilities (you can use the GÉANT-provided SCA and review services).
Manually review all other third-party intellectual property, including source code, components, content, designs, models, and similar assets (may be recorded in the NOTICE file).
Register the project in the GÉANT Software Catalogue.

Additional Requirements

Complete the SLA Service review, confirming licensing compliance and artefacts.
Obtain GÉANT approval of the licence, in line with the software’s context and intended distribution.

Certification Process

Perform a software licence review using the SLA Service or an equivalent internal process.
Address all dependency vulnerabilities and licence incompatibilities.
Confirm the selected licence with the Licence Management Team, and obtain approval from the GÉANT IPR Manager.
Create necessary artefacts, guided by the Software Artefacts Checklist and templates.
Declare the licence in repository metadata and, if relevant, in the software UI.
Optionally integrate SCA scanning into the CI/CD pipeline.
Send a request to the Licence Management Team, including:
- SCA report or a reference to the GÉANT SCA service performed
- Third-party IP details, if any
- Any supporting documentation
Provide clarifications or perform remediation if requested by the Licence Management Team.
Reference the certificate in your documentation, metadata, project page, or communications.

See Contact Us for information on how to communicate with the Licence Management Team.

Artefacts

Up-to-date list of all dependencies with licences and security status, including transitive ones, based on SCA tool results

Create project artefacts based on available templates. These files are reviewed and amended as part of the SLA Service.

README – Mandatory basic information about the software, licence, and copyright
LICENSE – Mandatory software licence text
COPYRIGHT – Mandatory copyright ownership information
NOTICE – Optional legal notices and attributions for third-party components, required if mandated by a licence or dependency
CHANGELOG – Optional record of versions and changes, required if mandated by a licence or dependency
CONTRIBUTING – Optional contribution policy

Governance

Upon approval, your project will receive the Verified Software Licence Certificate, visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

Keep dependency, licence, and vulnerability data and project artefacts up to date. Review new or changed dependencies and monitor for newly discovered vulnerabilities or licence conflicts.

You may integrate continuous dependency and licence scanning (e.g. through CI/CD pipelines) to detect issues early and maintain long-term compliance.

The Licence Management Team validates issuance, and may occasionally review certificate status. Revalidation may be required if there are significant changes (e.g. software architecture, licensing model, component replacement under a different licence, or inclusion of new components).

The certificate is valid indefinitely, provided issues are promptly addressed.

Additional Information

Further details are available in the Detailed Guide: Verified Software Licence Certificate.