View Source

Software Licensing Certificates
- Self-Assessed Dependencies [Quick Guide & Checklist] [Detailed Guide]
- Verified Dependencies [Quick Guide & Checklist] [Detailed Guide]
- Verified Software Licence [Quick Guide & Checklist] [Detailed Guide]
- Software Licence Assurance [Quick Guide & Checklist] [Detailed Guide]
Comparison Table
Using Issued Certificates

This certificate confirms that your project integrates mature, sustainable, and traceable licensing and dependency management practices into its software development and delivery lifecycle. It applies to actively maintained, publicly or purposefully distributed software under consistent governance. It also confirms readiness for compliant, continuous governance and distribution.

It may cover a single software project or a group of related software products under unified ownership and management. The certificate remains valid indefinitely, provided certified practices are maintained and biennial audits are passed.

This certificate builds on the Verified Software LicenceCertificate by adding structured governance, compliance automation, and continuous auditing. It is recommended to obtain the Verified Software Licence Certificate for all included software before applying for this certificate.

A full specification of software licensing certificates is also available for GÉANT participants.

Prerequisites

Ensure your project:

Meets all requirements for the Verified Software Licence Certificate for all its software
Is actively maintained and publicly or purposefully distributed
Has a designated Licence Compliance Officer for oversight
Integrates automated licence and dependency scanning and validation with notification into the CI/CD pipeline

Ensure that your development practices include:

Integrated compliance tools and monitoring systems
Documented dependency management
Clear contribution and licensing policies
Regular compliance reviews and audits

Step-by-Step Process

Establish Governance and Compliance Policies and Practices

Appoint a Licence Compliance Officer responsible for licensing decisions and queries.
Establish and enforce governance policies covering:
- Inbound licences (allowed third-party licences)
- Outbound licensing (especially where multiple licences apply)
- Dependency evaluation, approval, and monitoring
- Contribution terms (e.g. CONTRIBUTING or CLA), and contribution and version management
- Licence management and conflict remediation
- Use and maintenance of compliance tools
- Internal reviews and audits
Ensure the team understands and follows these policies.
Maintain records of licensing decisions, reviews, audits, findings, corrective actions, and training activities.

Establish and Maintain Compliance Tools

Integrate automated scanning for direct and transitive dependencies, licences, vulnerabilities, and artefacts into the CI/CD pipeline for all maintained software versions.
Configure alerts and notifications for licence, version, and security issues.
Ensure compliance rules, scanning configurations, and alert thresholds are maintained and up to date.

Prepare and Maintain Artefacts and Documentation

Create and maintain artefacts and documents that manage, support, and track licence, dependency, and security governance. Make them available to team members and auditors. Include:

Core licensing artefacts: README, LICENSE, COPYRIGHT, and, if applicable, NOTICE, CONTRIBUTING, and CHANGELOG for all included software
Dependency and licence management guidelines
SCA tool, licence, and security scan results and reports
Up-to-date list of all dependencies with licences and security status
Dependency and licence approvals, including exception or waiver records where applicable
Minutes or sign-off records from compliance reviews and audits
Records tracking known vulnerabilities and their remediation
Records of monitoring alerts and responses
Code testing or review records, including those tracking external contributions where applicable
CI/CD compliance tool rules and configuration files
Up-to-date onboarding and training materials for team members on licensing, security, and intellectual property rights (IPR) management
Contribution guidelines or policies
Software Bill of Materials (SBOM) for each software (recommended)

Implement Onboarding and Training

Provide documented onboarding and training for new and existing team members covering:
- Compliance tools
- Licensing practices
- Identifying, reporting, and addressing licensing, security, and IPR concerns
Ensure all contributors follow documented processes and rules.
Keep training materials current and accessible.

Conduct and Document Ongoing Compliance

Maintain records for:

Approving new dependencies before integration
Monitoring licence changes and vulnerabilities in all dependencies
Responding to vulnerability and licence alerts
Handling contributions
Conducted compliance reviews and audits

Submit Request

Send a request to the Licence Management Team, including:

Contact details of the Licence Compliance Officer
Results of the SLA or equivalent review for exemplary software
Access to the code repository for exemplary software, including all relevant artefacts (README, LICENSE, COPYRIGHT, NOTICE, CHANGELOG, etc.)
List of all dependencies with licences and security status for exemplary software
Results of automated checks, including examples of CI/CD compliance tool rules
Governance and compliance policies, including dependency and licence management guidelines
Evidence of governance and training activities, such as onboarding materials and contribution guidelines
Exemplary records of dependency management and compliance decisions
Exemplary records associated with one or several contributions
Exemplary records of known vulnerabilities and their remediation
Records of compliance reviews and audits
Clarifications or supporting notes, if needed

Refer to Contact Us for instructions on communicating with the team.

Respond to Review Feedback

Cooperate with the Licence Management Team to:

Provide requested clarifications
Demonstrate compliance tool effectiveness
Perform remediation if required (e.g. by addressing documentation or process gaps)

Use of SCA and SLA services to verify compliance and practice performance may be required.

Use Certificate

Upon approval, your project and associated software will receive the Software Licence Assurance Certificate, visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

Reference the certificate in documentation, metadata, project pages, or communications. The Licence Management Team will provide guidance on how to do this and will also provide a review report that may help you improve your practices and processes.

After Certification

Maintain Compliance

To keep the certificate valid:

Uphold all compliance procedures and practices continuously, modifying them when needed.
Keep compliance tools and their configurations up to date.
Implement governance, compliance monitoring, and automation measures across all included software.
Address identified issues promptly.
Clearly mark which software versions are actively maintained.
Maintain compliance artefacts, documentation, and data.
Respond to queries from users, contributors, or the Licence Management Team.
Conduct internal or external audits at least every two years.
Address review and audit findings.
Inform the Licence Management Team of any major practice changes.

Reviews, Audits, and Responding to Changes

A biennial audit is required, either as an internal audit by the development team or as an external audit arranged with the Licence Management Team.
Spot checks may be initiated after major changes or events.
An internal review is required following:
- Governance or leadership changes
- Major changes to compliance processes
- Serious compliance concerns raised by users

Contact the Licence Management Team proactively when significant changes occur to determine if recertification is needed.

Certificate Validity

The certificate is valid indefinitely, unless revoked.