ISVforce Guide
jSummer '26 (API version 67.0)
Spring '26 (API version 66.0)
Winter '26 (API version 65.0)
Summer '25 (API version 64.0)
Spring '25 (API version 63.0)
Winter '25 (API version 62.0)
Summer '24 (API version 61.0)
Spring '24 (API version 60.0)
Winter '24 (API version 59.0)
Summer '23 (API version 58.0)
Spring '23 (API version 57.0)
Winter '23 (API version 56.0)
Summer '22 (API version 55.0)
Spring '22 (API version 54.0)
Winter '22 (API version 53.0)
Summer '21 (API version 52.0)
Spring '21 (API version 51.0)
Winter '21 (API version 50.0)
Summer '20 (API version 49.0)
Spring '20 (API version 48.0)
Winter '20 (API version 47.0)
Summer '19 (API version 46.0)
Spring '19 (API version 45.0)
Winter '19 (API version 44.0)
Summer '18 (API version 43.0)
Spring '18 (API version 42.0)
Winter '18 (API version 41.0)
Summer '17 (API version 40.0)
Spring '17 (API version 39.0)
Winter '17 (API version 38.0)
Summer '16 (API version 37.0)
Spring '16 (API version 36.0)
Winter '16 (API version 35.0)
Summer '15 (API version 34.0)
Spring '15 (API version 33.0)
Winter '15 (API version 32.0)
Spring '14 (API version 30.0)
Security Review
Required Materials for Security Review Submission
Security Review Steps
Security Review Wizard
Submit a Client or Mobile App for Security Review
Submit an Extension Package for Security Review
Security Review Resources
Is an AppExchange security review required?
What happens during a security review?
Why do I need to have a security review?
How long does the security review take? How often is it required?
Is there a fee for the security review?
Why do I have to test my offering before the review if the security team is going to test it anyway?
What are the typical reasons why I would not pass the security review?
Can I submit my offering before it’s complete to get the security review process done early?
If I have any “No” responses in the security review wizard, or no formal and detailed documentation, do I fail the review?
Why does the review team need to test the X or Y part of my offering?
Do I have to fix all the issues that the security review team reported?
Why can’t the review team send me every instance of every finding for my review?
What happens after I pass the security review?
What happens if my offering isn’t approved?
What’s the difference between Approved, Provisional Pass, and Not Approved?
When I update my offering, do I need to pay the security review fee again to have it reviewed?
When I create a managed package to upgrade my offering, do I need to pay the security review fee again?
Why perform periodic security reviews?
How do reviewed solutions work with PE and GE organizations?
Glossary
Newer Version Available
When I create a managed package to upgrade my offering, do I need to pay the security review fee again?
No. If you developed the new version with a package that we’ve previously approved, it’s automatically approved when you submit it for review. However, you are asked to confirm your payment information when you run the security review wizard.