Security Review FAQ

This section contains a list of frequently asked questions about the security review.

• Is an AppExchange security review required?
• What comprises a security review?
• Why do I need to undergo a security review?
• How long does the security review take? How often is it required?
• Is there a fee?
• Do free applications need to pay for a security review?
• Why do I have to test my app before the review if the security team is going to test it anyway?
• What are the typical reasons why I would not pass the security review?
• Can I submit my application before it's complete so I can get the security review process done early?
• Why am I getting an error when I request a security review?
• If I have any “No” responses in the security questionnaire, or no formal and detailed documentation, will I fail the review?
• Why does the review team need to test the X or Y part of my offering?
• Do I have to fix all the issues that the security review team reported?
• Why can’t the review team send me every instance of every finding for my review?
• What happens after I pass the security review?
• What happens if my application is not approved?
• What’s the difference between Passed, Provisional Pass, and Failed?
• If I update my application, do I need to pay the security review fee again to have it reviewed?
• When I create a new managed package (effectively an upgrade of my first application), will I need to pay the fee again to have it security reviewed?
• Why do I need to do periodic security reviews?
• I understand that reviewed solutions are able to work with PE and GE organizations. How does this work?