ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Package and Test Your Solution
Pass the AppExchange Security Review
Security Review
Required Materials for Security Review Submission
Security Review Steps
Security Review Wizard
False Positives
Submit a Client or Mobile App for Security Review
Submit an Extension Package for Security Review
Security Review Resources
Security Review FAQ
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Manage Licenses
Manage Features
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Submit an Extension Package for Security Review

ISVs create extension packages when they want to provide add-on features to their apps. The extension packages also help when ISVs want to support Salesforce editions like PE and GE with their app. Another use case is creating a "bridge" package that enables the ISV’s app to work with another app.

All packages, whether base or extension, require a security review. Follow the same process for review of an extension package as for a base package.

Some extension packages are small, for example, a few links or buttons to call base package components. Regardless of the size of the extension package, follow the same process. The only difference is that the review process is faster for smaller packages.

The process for submitting an extension package for the security review is similar to the process for the base package.
  1. Upload your extension package (be sure it is managed-release like your base package). Upload the extension package from an organization other than the org for base package.
  2. In your AppExchange listing, link the organization where the extension package was created. The extension package appears in the list of packages under your listings.
  3. Initiate the security review. Make sure that your test account includes both the base and extension packages.

It’s important that the Salesforce security team reviews every extension package. Even small packages can introduce vulnerabilities to the platform. Follow the same process of doing a self-scan of the code before submitting for a review. If the extension package has components that interface with an external application, run a web application scan, such as Zed Attack Proxy (ZAP) or Burp. Submit the corresponding results.