View Source

Software Licensing Certificates
- Self-Assessed Dependencies [Quick Guide & Checklist] [Detailed Guide]
- Verified Dependencies [Quick Guide & Checklist] [Detailed Guide]
- Verified Software Licence [Quick Guide & Checklist] [Detailed Guide]
- Software Licence Assurance [Quick Guide & Checklist] [Detailed Guide]
Comparison Table
Using Issued Certificates

This certificate confirms that your software project’s licensing has been reviewed and validated. It indicates that the selected licence has been verified for compatibility with all components, appropriately and transparently declared, and that the software is ready for compliant release when it comes to licensing and reasonable dependency checks.

The certificate builds upon the Verified Dependencies Certificate, extending its scope to include licence selection, Software Licence Analysis (SLA) review, and approval of required artefacts. The certificate remains valid indefinitely for future software versions, provided certification requirements continue to be met. It does not cover patents or legal liability, although patent concerns may be addressed during the SLA review.

A full specification of software licensing certificates is also available for GÉANT participants.

Prerequisites

Ensure your software project:

Is intended for distribution
Has all direct and transitive dependencies identified and verified
Uses a clear software licence compatible with all dependencies, confirmed by the GÉANT IPR Manager
Has internally assessed licensing compliance and produced the required artefacts
Is registered in the GÉANT Software Catalogue

Also ensure that:

Project artefacts include the required licence and copyright
Compliance requirements of all dependencies are fulfilled

Step-by-Step Process

Review Dependencies

Identify all direct and transitive dependencies. You may use the GÉANT Software Composition Analysis (SCA) service, or obtain a Verified Dependencies Certificate.
Document all external libraries, code, and other third-party intellectual property used in the project.
Record the licences of all external components.
Manually review all third-party intellectual property (source code, content, designs, models, etc.), which may be recorded in the NOTICE file.
Address all critical vulnerabilities, typically by upgrading dependencies.

Select and Verify Licence

Initiate the GÉANT Software Licence Analysis (SLA) service, conduct an internal review, or rely on an equivalent process.
Select a candidate licence or licences appropriate for the project’s context and intended distribution.
Confirm that all dependency licences are compatible with the selected licence.
Confirm the selected licence with the Licence Management Team, and obtain approval from the GÉANT IPR Manager.
Document any conflicts, resolutions, and rationales.

Prepare Required Artefacts

Use the GÉANT SLA service, or the Software Artefacts Checklist and templates for GÉANT participants.

Mandatory artefacts:

LICENSE – full text of the selected licence
COPYRIGHT – copyright notices and attributions
README – includes basic information, licence declaration, and copyright

If applicable or required by the licence:

NOTICE – third-party notices and attributions
CHANGELOG – version history, including licence-related changes
CONTRIBUTING – contribution policy or guidelines

Ensure that artefacts clearly and explicitly declare the selected licence, copyright ownership, and are in compliance with the terms of all dependencies.

Declare Licence in Metadata and User Interface

Declare the licence in:

Repository metadata or settings
Software user interface (if required by the licence)
Documentation, help files, and release notes

Submit Request

Send a request to the Licence Management Team, including:

Results of the SLA or equivalent review
Access to the repository with all relevant artefacts
Supporting documentation or clarifications, such as descriptions of third-party components or internal reports on dependencies, licences, and vulnerabilities

Refer to Contact Us for instructions on communicating with the team.

Respond to Review Feedback

Cooperate with the Licence Management Team to:

Provide requested clarifications
Remediate licence conflicts or vulnerabilities
Update artefacts and documentation as needed

Use Certificate

Upon approval, your project will receive the Verified Software Licence Certificate, visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

Reference the certificate in documentation, metadata, project pages, or communications. The Licence Management Team will provide guidance on how to do this.

After Certification

Maintain Compliance

To keep the certificate valid:

Keep dependency, licence, and vulnerability data accurate and up to date.
Monitor for new vulnerabilities or licence conflicts, which may be newly discovered or introduced by dependency or licence changes.
Address identified issues promptly.
Clearly mark which software versions are actively maintained.
Maintain up-to-date licensing artefacts and compliance documentation.
Avoid changing the project’s licence without prior review and re-approval.
Inform the Licence Management Team of any major project changes that may affect licensing and IPR.
Respond to compliance-related queries from users or third parties.

Substantial changes to the software’s architecture, licensing model, or component replacements under a different licence may require revalidation.

Certificate Validity

The certificate is valid indefinitely, provided issues are promptly addressed and certification requirements continue to be met.

The Licence Management Team may periodically check the software and request revalidation if necessary.

Optional: Continuous Dependency and Licence Scanning

Integrate SCA scanning into the CI/CD pipeline to detect licence or vulnerability issues early, and maintain long-term compliance.