Maintainer

Verusum is the sole maintainer of vsmcodex. The maintainer holds final authority over technical direction, methodology decisions, releases, and the public surface of the project. The relationship between the open-source vsmcodex project and the commercial Verusum platform follows the Confluent–Kafka and Elastic–Elasticsearch sponsor-and-protocol pattern: the codex is openly maintained, freely licensed, and developed in public; Verusum's commercial verification platform sits on top of it and contributes back upstream.

The "benevolent dictator with CLA" model is the standard governance pattern used by mature single-organisation-led open-source projects (Python, Linux Foundation member projects, Apache committers' projects in their pre-foundation periods). It supports fast methodology decisions during the regulatory build-out window, vsmcodex needs to align with EU CBAM Implementing Regulation 2023/1773, Delegated Regulation (EU) 2025/2551, and COM(2025) 783, and these alignment decisions cannot wait for community consensus on every detail.

Contributor Licence Agreement

All contributions to vsmcodex require a signed Contributor Licence Agreement. Verusum has adopted the Apache Software Foundation's Individual Contributor Licence Agreement (ICLA) and Corporate Contributor Licence Agreement (CCLA) verbatim. The same templates used by the ASF, OpenStack, Cloud Native Computing Foundation, and hundreds of other open-source projects. Adopting these templates without modification means contributors familiar with the ASF flow can sign without re-reading.

The CLA is administered through CLA Assistant on GitHub. When a contributor opens their first pull request, the bot detects unsigned status and links to the signing form. Signing is a one-time action per contributor; subsequent contributions inherit the signature.

The CLA assigns copyright in contributions to Verusum (as the maintaining organisation) while granting contributors a perpetual licence to their own contributions. This is the standard structure for projects on a foundation pathway; it preserves Verusum's ability to relicense the codex if and when it is donated to a foundation, without requiring re-signature from every prior contributor.

Decision-making

Technical and methodology decisions are made openly on GitHub Issues. The maintainer holds final call. For non-trivial methodology questions, decisions are cross-referenced against the underlying EU regulation, against the Sustainable Value Stream Mapping academic literature (Faulkner & Badurdeen 2014 and subsequent work), and against any published guidance from DG TAXUD or European Accreditation. Decisions affecting the public methodology are documented as decision records in the repository.

Verusum participates in the EU regulatory consultation process; the methodology consultations run by DG TAXUD, the European Accreditation TFG EU CBAM observership track, and academic position-paper publishing in collaboration with academic partners. Where regulatory guidance evolves, vsmcodex evolves with it.

Trademark

The wordmarks, "vsmcodex" and "verusum" are subjects of trademark filings with the UK IPO and EUIPO. Once granted, the marks are owned by Verusum Ltd. Anyone is free to refer to the project as "vsmcodex" in academic citations, regulatory submissions, journalism, and discussion. The marks may not be used to suggest endorsement of derivative work, to brand competing products, or in ways likely to confuse the marks' source.

Detailed trademark guidance is published at the project repository in TRADEMARKS.md from public launch (1 September 2026).

Foundation pathway

vsmcodex is currently maintained by Verusum, but the project is designed to graduate to an independent foundation if and when it reaches the scale where foundation governance materially benefits contributors and users. The transition is gated by three simultaneous conditions: a meaningful population of independent contributors and downstream users; a candidate foundation whose scope and governance match the project's needs; and the financial and operational readiness within Verusum to make the transfer.

Candidate foundations under consideration include the Linux Foundation Climate, the Open Source Security Foundation, and any dedicated EU CBAM or carbon-border-regime foundation that may emerge. No transition is planned in 2026 or 2027.

Succession

Succession planning for the maintainer role will be formalised before the foundation transition trigger fires. Until then, the maintainer commitment is held by Verusum as a corporate entity (rather than personally), which provides continuity protection against the loss of any individual.