This certificate applies to software projects that are not externally distributed, or that have not yet declared a licence. It confirms that all third-party dependencies, including transitive ones, have been identified and externally verified for mutual licence compatibility and critical vulnerabilities. It is suitable for internal tools or services, unlicensed or unpublished code, and projects seeking external validation before choosing a licence.

The certificate does not grant distribution rights or replace licence selection and compliance, as it does not assess the project’s own licensing. It builds upon the Self-Assessed Dependencies Certificate, providing stronger assurance of third-party legal and security risks by extending the scope to transitive dependencies and introducing verification by the Licence Management Team, after the software team has internally evaluated key points about dependencies, licences, and security, and prepared verification materials.

A full specification of software licensing certificates is also available (the document is available for GÉANT participants).

Prerequisites

Ensure your software project:

• Has all direct and transitive dependencies identified and documented

• Has confirmed that all dependency licences are mutually compatible for use in the software

• Contains no known critical vulnerabilities in dependencies
• Lists any other third-party intellectual property included in the project, including source code, components, content, designs, models, and similar assets (these may be recorded in the NOTICE file)

• Is registered in the GÉANT Software Catalogue

Step-by-Step Process

Identify Dependencies

Compile a complete list of all direct and transitive third-party dependencies in your software project. You may use structured manual review, a Software Composition Analysis (SCA) tool, or the GÉANT SCA service.

Document licence and vulnerability information for each dependency.

Verify Compatibility and Compliance

Confirm that all dependencies are under suitable open source or proprietary terms, and that their licences are mutually compatible for use in your software.

Address Known Issues

Address all critical vulnerabilities in dependencies, typically by upgrading to secure versions.

Resolve any known licence incompatibilities and instances of improper use of third-party intellectual property.

Prepare Required Documentation

Ensure that dependency information, vulnerability records, and third-party IP details (if any) are complete and up to date.

Consider preparing supplementary README and NOTICE files based on available templates.

Submit Request

Send a request to the Licence Management Team, including:

• Detailed dependency list with licences or SCA tool results
• Third-party IP details, if any
• Any supporting documentation with descriptions of third-party components, such as README, NOTICE, or internal reports

You may also refer to results from the GÉANT SCA service, if used.

See Contact Us for instructions on communicating with the team.

Respond to Review Feedback

Cooperate with the Licence Management Team to:

• Provide requested clarifications
• Remediate identified incompatibilities or vulnerabilities
• Update dependency records and documentation as needed

Use Certificate

Upon approval, your project will receive the Verified Dependencies Certificate, which will be visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

You may reference the certificate in your documentation, metadata, project page, or communications. The Licence Management Team will provide guidance on how to do this.

After Certification

Maintain Compliance

To keep the certificate valid:

• Keep dependency, licence, and vulnerability data accurate and up to date
• Review all new or changed dependencies
• Address newly discovered vulnerabilities or licence incompatibilities promptly

Certificate Validity

The certificate is valid for five years, covering all versions released within that period, provided vulnerabilities and licence incompatibilities are addressed.

Renewal

Reassess and submit a renewal request before the five-year validity period ends, or sooner if there are significant changes (e.g., component replacement under a different licence, or inclusion of new components).

Avoiding Revocation

The certificate may be revoked if:

• Incompatible dependency licences are introduced or discovered
• Critical vulnerabilities in dependencies remain unresolved
• Non-compliance between component licences remains unresolved
• Complaints about undeclared, licence-incompatible, or critically vulnerable dependencies are confirmed and unresolved
• The team fails to respond to enquiries or complaints during investigations and reviews
• The development team requests revocation

Optional: Continuous Dependency and Licence Scanning

Integrate SCA scanning into your CI/CD pipeline to detect licence or vulnerability issues early, and maintain long-term compliance.