Detailed Guide: Software Licence Assurance Certificate

This certificate confirms that your project integrates mature, sustainable, and traceable licensing and dependency management practices into its software development and delivery lifecycle. It applies to actively maintained, publicly or purposefully distributed software under consistent governance. It also confirms readiness for compliant, continuous governance and distribution.

It may cover a single software project or a group of related software products under unified ownership and management. The certificate remains valid indefinitely, provided certified practices are maintained and biennial audits are passed.

This certificate builds on the Verified Software LicenceCertificate by adding structured governance, compliance automation, and continuous auditing. It is recommended to obtain the Verified Software Licence Certificate for all included software before applying for this certificate.

A full specification of software licensing certificates is also available for GÉANT participants.

Prerequisites

Ensure your project:

• Meets all requirements for the Verified Software Licence Certificate for all its software
• Is actively maintained and publicly or purposefully distributed
• Has a designated Licence Compliance Officer for oversight
• Integrates automated licence and dependency scanning and validation with notification into the CI/CD pipeline

Ensure that your development practices include:

• Integrated compliance tools and monitoring systems
• Documented dependency management
• Clear contribution and licensing policies
• Regular compliance reviews and audits

Step-by-Step Process

Establish Governance and Compliance Policies and Practices

• Appoint a Licence Compliance Officer responsible for licensing decisions and queries.
• Establish and enforce governance policies covering:
  

  • Inbound licences (allowed third-party licences)

  • Outbound licensing (especially where multiple licences apply)

  • Dependency evaluation, approval, and monitoring

  • Contribution terms (e.g. CONTRIBUTING or CLA), and contribution and version management

  • Licence management and conflict remediation

  • Use and maintenance of compliance tools
  • Internal reviews and audits

• Ensure the team understands and follows these policies.

• Maintain records of licensing decisions, reviews, audits, findings, corrective actions, and training activities.

Establish and Maintain Compliance Tools

• Integrate automated scanning for direct and transitive dependencies, licences, vulnerabilities, and artefacts into the CI/CD pipeline for all maintained software versions.
• Configure alerts and notifications for licence, version, and security issues.

• Ensure compliance rules, scanning configurations, and alert thresholds are maintained and up to date.

Prepare and Maintain Artefacts and Documentation

Create and maintain artefacts and documents that manage, support, and track licence, dependency, and security governance. Make them available to team members and auditors. Include:

• Core licensing artefacts: README, LICENSE, COPYRIGHT, and, if applicable, NOTICE, CONTRIBUTING, and CHANGELOG for all included software
• Dependency and licence management guidelines
• SCA tool, licence, and security scan results and reports
• Up-to-date list of all dependencies with licences and security status
• Dependency and licence approvals, including exception or waiver records where applicable
• Minutes or sign-off records from compliance reviews and audits

• Records tracking known vulnerabilities and their remediation

• Records of monitoring alerts and responses

• Code testing or review records, including those tracking external contributions where applicable

• CI/CD compliance tool rules and configuration files

• Up-to-date onboarding and training materials for team members on licensing, security, and intellectual property rights (IPR) management

• Contribution guidelines or policies

• Software Bill of Materials (SBOM) for each software (recommended)

Implement Onboarding and Training

• Provide documented onboarding and training for new and existing team members covering:
  • Compliance tools
  • Licensing practices
  • Identifying, reporting, and addressing licensing, security, and IPR concerns
• Ensure all contributors follow documented processes and rules.
• Keep training materials current and accessible.

Conduct and Document Ongoing Compliance

Maintain records for:

• Approving new dependencies before integration

• Monitoring licence changes and vulnerabilities in all dependencies

• Responding to vulnerability and licence alerts
• Handling contributions
• Conducted compliance reviews and audits

Submit Request

Send a request to the Licence Management Team, including:

• Contact details of the Licence Compliance Officer

• Results of the SLA or equivalent review for exemplary software

• Access to the code repository for exemplary software, including all relevant artefacts (README, LICENSE, COPYRIGHT, NOTICE, CHANGELOG, etc.)
• List of all dependencies with licences and security status for exemplary software
• Results of automated checks, including examples of CI/CD compliance tool rules

• Governance and compliance policies, including dependency and licence management guidelines

• Evidence of governance and training activities, such as onboarding materials and contribution guidelines

• Exemplary records of dependency management and compliance decisions

• Exemplary records associated with one or several contributions

• Exemplary records of known vulnerabilities and their remediation

• Records of compliance reviews and audits

• Clarifications or supporting notes, if needed

Refer to Contact Us for instructions on communicating with the team.

Respond to Review Feedback

Cooperate with the Licence Management Team to:

• Provide requested clarifications
• Demonstrate compliance tool effectiveness
• Perform remediation if required (e.g. by addressing documentation or process gaps)

Use of SCA and SLA services to verify compliance and practice performance may be required.

Use Certificate

Upon approval, your project and associated software will receive the Software Licence Assurance Certificate, visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

Reference the certificate in documentation, metadata, project pages, or communications. The Licence Management Team will provide guidance on how to do this and will also provide a review report that may help you improve your practices and processes.

After Certification

Maintain Compliance

To keep the certificate valid:

• Uphold all compliance procedures and practices continuously, modifying them when needed.
• Keep compliance tools and their configurations up to date.

• Implement governance, compliance monitoring, and automation measures across all included software.

• Address identified issues promptly.
• Clearly mark which software versions are actively maintained.

• Maintain compliance artefacts, documentation, and data.

• Respond to queries from users, contributors, or the Licence Management Team.
• Conduct internal or external audits at least every two years.
• Address review and audit findings.
• Inform the Licence Management Team of any major practice changes.

Reviews, Audits, and Responding to Changes

• A biennial audit is required, either as an internal audit by the development team or as an external audit arranged with the Licence Management Team.

• Spot checks may be initiated after major changes or events.
• An internal review is required following:
  • Governance or leadership changes
  • Major changes to compliance processes
  • Serious compliance concerns raised by users

Contact the Licence Management Team proactively when significant changes occur to determine if recertification is needed.

Certificate Validity

The certificate is valid indefinitely, unless revoked.