ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Package and Test Your Solution
Pass the AppExchange Security Review
Publish Your Solution on AppExchange
What Is the AppExchange?
Business Plans for AppExchange Listings
Submit a Due Diligence and Compliance Certification
Publish on AppExchange
Connect a Packaging Organization to AppExchange
Create or Edit Your Provider Profile
Create or Edit an AppExchange Listing
Add a Business Plan to an AppExchange Listing
Make Your AppExchange Listing Effective
Choose an Installation Option
Register Your Package and Choose License Settings
Complete the Security Review Cycle
Required Materials for Security Review Submission
Security Review and AppExchange Listing Fees
Update Your Credit Card Information
Submit Your Solution for Security Review
Act on Security Review Results
Submit Your Solution for a Follow-Up Review
Request a Follow-Up Review for a New Package Version
Request a Follow-Up Review for External Code or an API-Only Solution
List Your Solution on AppExchange
Periodic Re-Reviews
How Does AppExchange Search Work?
Email Notifications
Collect AppExchange Leads
Analytics Reports for Publishers
Update the Package in an AppExchange Listing
AppExchange FAQ
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Manage Licenses
Manage Features
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Submit Your Solution for a Follow-Up Review

The security review of your solution is complete, but the Product Security team found security vulnerabilities. Your solution isn’t approved for distribution on AppExchange. It’s not the result you hoped for, but you’re in good company. Most solutions don’t pass on the first try. Fix the vulnerabilities, generate updated scan reports, and submit your solution for a follow-up review.
A security review report for a solution that didn’t pass lists the types of security vulnerabilities that Product Security found. For each vulnerability type, the report includes:
  • A specific example from your solution.
  • Steps to reproduce the issue.
  • Links to documentation or comments about how to fix the issue.

Our goal is to find as many different types of vulnerabilities as possible, but keep in mind that the security review is a black-box, time-limited process. We can’t always list every instance of a security vulnerability, and we may not initially detect all issue types. Interpret the security review findings as representative examples of the types of issues you must fix. Unless otherwise noted in the report, you’re required to fix all classes of issues across the entire solution.

We’re available to help you analyze the findings and troubleshoot security vulnerabilities. Schedule a technical office hours appointment on the Partner Security Portal.

As you revise your solution, exclusively fix security issues discovered in a previous review, and fix the code in the existing package. If you make other revisions, such as functionality changes, we require that the revised solution go through an initial security review. That’s also true if you spin up a new package for the revised code.

If the package ID and namespace don’t change, your resubmission qualifies for a follow-up review.

Important

After you fix the solution, collect the materials necessary for us to complete a follow-up review. Rerun the required scanner tools on your revised solution and generate updated scan reports. If you fixed issues in your managed package, provide updated Source Scanner results. If you fixed issues detected on an external endpoint, provide updated ZAP or Chimera scan reports. If applicable, document your responses to false positives.

For more details about what to submit, see Required Materials for Security Review Submission.

The process to request a follow-up review depends on the scope of changes.

  • New Package Version: You fixed code that runs on the Salesforce platform. Create and upload a new version of your managed package to your AppExchange listing. Then start a review for the new version. If you also made changes external to the package, be prepared to provide details about those changes in the security review wizard.
  • External Code or API-Only Solution: You only changed code that runs externally to Salesforce. Edit your existing security review submission. Provide details about the changes in the security review wizard. Log a security review case so that Product Security knows you’re resubmitting your solution.