ISVforce Guide

Introduction
ISVforce Quick Start
Grow Your AppExchange Business
Designing and Building Your App
Packaging and Testing Your App
Passing the Security Review
Security Review
Security Review Steps
Security Review Wizard
Submit a Client or Mobile App for Security Review
Submit an Extension Package for Security Review
Security Review Resources
Security Review FAQ
Publish Your Offering on the AppExchange
Manage Orders
Managing Licenses
Manage Features
Provide a Free Trial
Supporting Your AppExchange Customers
Upgrading Your App
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Submit an Extension Package for Security Review

ISVs create extension packages when they want to provide add-on features to their apps. The extension packages also help when ISVs want to support Salesforce editions like PE and GE with their app. Another use case is creating a "bridge" package that enables the ISV’s app to work with another app.

All packages, whether base or extension, require a security review. The same process needs to be followed for review of an extension package as for a base package.

Some extension packages are very small, for example, a few links or buttons to call base package components. Regardless of the size of the extension package, the same process needs to be followed. The only difference is that the review process is faster for smaller packages.

The process for submitting an extension package for the security review is similar to that for the base package.
  1. Upload your extension package (it should be managed-release like your base package). Of course, the extension package can only be uploaded from an organization separate from that for the base package.
  2. In your AppExchange listing, link the organization where the extension package was created. The extension package should appear in the list of packages under your listings.
  3. Initiate the security review. Make sure your test account includes both the base and extension packages.

It’s important that every extension package is reviewed and approved by the Salesforce security team. Even small packages can introduce vulnerabilities to the platform. Follow the same process of doing a self-scan of the code before submitting for a review. If the extension package has components that interface with an external application, run a web application scan, such as Zed Attack Proxy (ZAP) or Burp, and submit the corresponding results.