Security Review FAQ

This section contains a list of frequently asked questions about the security review.

• Is an AppExchange security review required?
• What happens during a security review?
• Why do I need to have a security review?
• How long does the security review take? How often is it required?
• Is there a fee for the security review?
• Why do I have to test my offering before the review if the security team is going to test it anyway?
• What are the typical reasons why I would not pass the security review?
• Can I submit my offering before it’s complete to get the security review process done early?
• If I have any “No” responses in the security review wizard, or no formal and detailed documentation, do I fail the review?
• Why does the review team need to test the X or Y part of my offering?
• Do I have to fix all the issues that the security review team reported?
• Why can’t the review team send me every instance of every finding for my review?
• What happens after I pass the security review?
• What happens if my offering isn’t approved?
• What’s the difference between Approved, Provisional Pass, and Not Approved?
• When I update my offering, do I need to pay the security review fee again to have it reviewed?
• When I create a managed package to upgrade my offering, do I need to pay the security review fee again?
• Why perform periodic security reviews?
• How do reviewed solutions work with PE and GE organizations?