Summary
SEAL certification is a point-in-time assessment. Unlike frameworks such as ISO 27001, there is no surveillance or recertification mechanism built into the model, so a hard "expiry" date is misleading, and a perpetual certification with no date is also misleading. Proposal: show two dates on every certification instead.
Proposal
Display on the attestation and badge:
SEAL Certified
Last Reviewed: June 2026
Recommended Reassessment: June 2027
Default recommended reassessment cadence of 12 months, configurable per engagement.
Rationale
A point-in-time assessment benefits from a visible assessment date plus a recommended review cadence. This gives transparency on when the assessment was performed, encourages ongoing review, and avoids implying that the certification automatically expires on a fixed date. It also fits the framework's broad, evolving scope (operational security, wallet management, governance, incident response, organizational controls), which both a perpetual undated certification and a hard expiry model would serve poorly.
Surfaces to change
- Attestation (EAS) schema: add
lastReviewed and recommendedReassessment fields.
- Certification badge display.
- Docs: the
overview FAQ ("Can a project lose their certification?" currently implies a time-limited / expiry model) and certification-guidelines.
Raised by @zS-SFC.
TODO (housekeeping): create a certifications label for the repo and apply it to certs issues like this one. The certs contribution guide (#521) directs contributors to open issues with the certifications tag, but that label does not exist yet. This issue currently uses the closest existing labels instead.
Summary
SEAL certification is a point-in-time assessment. Unlike frameworks such as ISO 27001, there is no surveillance or recertification mechanism built into the model, so a hard "expiry" date is misleading, and a perpetual certification with no date is also misleading. Proposal: show two dates on every certification instead.
Proposal
Display on the attestation and badge:
Default recommended reassessment cadence of 12 months, configurable per engagement.
Rationale
A point-in-time assessment benefits from a visible assessment date plus a recommended review cadence. This gives transparency on when the assessment was performed, encourages ongoing review, and avoids implying that the certification automatically expires on a fixed date. It also fits the framework's broad, evolving scope (operational security, wallet management, governance, incident response, organizational controls), which both a perpetual undated certification and a hard expiry model would serve poorly.
Surfaces to change
lastReviewedandrecommendedReassessmentfields.overviewFAQ ("Can a project lose their certification?" currently implies a time-limited / expiry model) andcertification-guidelines.Raised by @zS-SFC.
TODO (housekeeping): create a
certificationslabel for the repo and apply it to certs issues like this one. The certs contribution guide (#521) directs contributors to open issues with thecertificationstag, but that label does not exist yet. This issue currently uses the closest existing labels instead.