Certification Revocation — Certifications

Revocation Triggers

Trigger	How It Occurs	Revocation Immediate?
Security scan failure	Periodic rescans (quarterly) discover new Critical/High vulnerabilities in package dependencies that were added after certification	Yes — revocation on scan failure confirmation
Policy violation	Admin discovers the package now violates content policies (updated policies or newly discovered violations)	Yes — revocation at admin discretion
Documentation removed	Publisher takes down their documentation URL — the URL now returns 404	Warning first, then revocation after 14-day cure period
Publisher request	Publisher requests revocation (e.g., package is deprecated and they don't want to maintain cert standards)	Yes — immediate on request

Revocation Process

Revocation Trigger Detected

Security scan flags a vulnerability, or admin identifies a policy violation.

Publisher Notified

Publisher receives email with the specific reason for revocation and (if applicable) a cure period to resolve the issue.

Cure Period (if applicable)

For documentation removal and some policy violations, the publisher has 14 days to resolve the issue before revocation. Security failures trigger immediate revocation.

Certification Revoked

Package reverts to Community certification. The Certified badge is removed from all package cards and the detail page. The 100 reputation points are also deducted.

Recertification After Revocation

After revocation, the publisher can fix the underlying issue and reapply for Certified status through the standard application process. There is no permanent ban — revoked packages are eligible to apply again once the issue is resolved.

Reputation points on revocation

If certification is revoked, the 100 reputation points originally credited are deducted from the publisher's score. If this brings the score below a tier threshold, the publisher's tier is NOT reduced — tier is based on lifetime points and is protected from revocation deductions.

← Badge Display