This certificate builds upon the Verified Software Licence certificate, and confirms that a project integrates mature, sustainable, and traceable licensing and dependency management into its development and delivery lifecycle. It applies to actively maintained, publicly or purposefully distributed software under consistent governance.

The certificate may cover a single project or a group of products under unified ownership and management. It remains valid indefinitely, provided certified practices are maintained and biennial audits are passed.

A full specification of the Software Licence Assurance certificate is also available.

Prerequisites

Ensure your project:

  • Meets all requirements for the Verified Software Licence for all its software
  • Is actively maintained and publicly or purposefully distributed
  • Has a designated Licence Compliance Officer for oversight
  • Integrates automated licence and dependency scanning and validation with notification into the CI/CD pipeline

Ensure that your development practices include:

  • Integrated compliance tools and monitoring systems
  • Documented dependency management
  • Clear contribution and licensing policies
  • Regular compliance reviews and audits

Step-by-Step Process

Establish Governance and Compliance Policies and Practices

  • Appoint a Licence Compliance Officer responsible for licensing decisions and queries.
  • Establish and enforce governance policies covering:

    • Inbound licences (allowed third-party licences)

    • Outbound licensing (especially if various licences are applied)

    • Dependency evaluation, approval, and monitoring

    • Contribution terms (e.g. CLAs) and management

    • Licence conflict resolution

    • Use and maintenance of compliance tools
    • Internal reviews and audits

  • Ensure the team understands and follows these policies.

  • Maintain records of licensing decisions, reviews and audits, their findings, corrective actions, and training activities. 

Establish and Maintain Compliance Tools

  • Integrate automated scanning for direct and transitive dependencies, licences, vulnerabilities, and artefacts into the CI/CD pipeline for all maintained software versions.
  • Configure alerts and notifications for licence, version, or security issues.
  • Keep up-to-date compliance rules, scanning configurations, and alert thresholds.

Prepare and Maintain Artefacts and Documentation

Maintain the following artefacts and documentation, and make them accessible to team members and auditors:

  • Up-to-date list of all dependencies with licences and security status
  • LICENSE, COPYRIGHT, README, and, if applicable, NOTICE and CHANGELOG
  • Software Bill of Materials (SBOM) (recommended)
  • Records of compliance decisions and reviews

Implement Onboarding and Training

  • Provide documented onboarding and training for new and existing team members covering:
    • Compliance tools
    • Licensing practices, including identifying and reporting licensing and IPR concerns
    • Contribution guidelines and requirements
  • Ensure all contributors follow documented processes and rules.
  • Keep training material up to date.

Conduct and Document Ongoing Compliance

Maintain records on:

  • Approving new dependencies before integration

  • Monitoring licence changes and vulnerabilities in all dependencies

  • Responding to vulnerability and licence alerts
  • Handling contributions
  • Conducted compliance reviews and audits

Submit Request

Send a request to the Licence Management Team, including:

  • Results of the SLA or equivalent review

  • Access to the code repository with all relevant artefacts
  • Results of automated checks

  • Governance and compliance policies

  • Evidence of governance and training activities

  • Any clarifications or supporting notes

See the Contact us section for getting information how to communicate with the Team.

Respond to Review Feedback

Cooperate with the Licence Management Team to:

  • Provide requested clarifications
  • Demonstrate compliance tool effectiveness
  • Address documentation or process gaps

Use of SCA and SLA services to verify compliance and practices performance may be required.

Use Certificate

Upon approval, your project will receive the Software Licence Assurance certificate, which will be visible in the GÉANT Software Catalogue for all covered software projects.

You may reference the certificate in your documentation, metadata, project page, or communications. The Licence Management Team will provide guidance on how to do this. They will also provide a review report.

After Certification

Keep It Valid

Your certificate remains valid indefinitely, provided you:

  • Uphold all compliance procedures and practices continuously, modifying them when needed
  • Keep compliance documentation current
  • Maintain compliance tools and their configurations
  • Monitor for dependency and licence changes, and address any related issues
  • Mark clearly which versions are maintained
  • Maintain up-to-date licensing artefacts and compliance documentation
  • Respond to compliance queries from users, contributors, or the Licence Management Team
  • Conduct internal or external audits at least every two years
  • Address critical review and audit findings promptly
  • Inform the Licence Management Team of any major practice changes

Reviews, Audits, and Responding to Changes

  • A full audit is required at least once every two years.
    • Internal audits can be conducted by your team.
    • External audits may be arranged with or through the Licence Management Team.
  • Spot checks may be initiated after major changes or events.
  • An internal review is required following:
    • Governance or leadership changes
    • Major changes to compliance processes
    • Compliance concerns raised by users

Contact the Licence Management Team proactively when significant changes occur to determine if recertification is needed. See the Contact us section for getting information how to communicate with the Team.

  • No labels