ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Package and Test Your Solution
Pass the AppExchange Security Review
Publish Your Solution on AppExchange
What Is AppExchange?
Business Plans for AppExchange Listings
Submit a Due Diligence and Compliance Certification
Publish on AppExchange
Connect a Packaging Org to the Publishing Console
Create or Edit Your Provider Profile
Create or Edit Your AppExchange Listing
Add a Business Plan to an AppExchange Listing
Make Your AppExchange Listing Effective
Select an Installation Option
Register Your Package and Choose License Settings
Complete the Security Review Cycle
Required Materials for Security Review Submission
Security Review and AppExchange Listing Fees
Update Your Payment Information
Submit Your Solution for Security Review
Check Security Review Progress and History
Act on Security Review Results
Submit Your Solution for a Follow-Up Review
Request a Follow-Up Review for a New Package Version
Request a Follow-Up Review for External Code or an API-Only Solution
List Your Solution on AppExchange
Periodic Re-Reviews
How Does AppExchange Search Work?
Email Notifications
Collect AppExchange Leads
Analytics Reports for Publishers
Update the Package in Your AppExchange Listing
AppExchange FAQ
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Managing Licenses for Managed Packages
Partner Licensing Platform (Developer Preview)
Manage Features in First-Generation Managed Packages
Provide a Free Trial of Your Solution
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Submit Your Solution for a Follow-Up Review

The security review of your solution is complete, but the Product Security team found security vulnerabilities. Your solution isn’t approved for distribution on AppExchange. It’s not the result you hoped for, but you’re in good company. Most solutions don’t pass on the first try. Fix the vulnerabilities, and submit your solution for a follow-up review.
The security review report lists the types of security vulnerabilities that Product Security found. For each vulnerability type, the report includes:
  • A specific example from your solution
  • Steps to reproduce the issue
  • Links to documentation or comments about how to fix the issue

Our goal is to find as many different types of vulnerabilities as possible, but keep in mind that the security review is a black-box, time-limited process. We can’t always list every instance of a security vulnerability, and we might not initially detect all issue types. Interpret the security review findings as representative examples of the types of issues you must fix. Unless otherwise noted in the report, you’re required to fix all classes of issues across the entire solution.

We’re available to help you analyze the findings and troubleshoot security vulnerabilities. Schedule a technical office hours appointment on the Partner Security Portal.

As you revise your solution, fix only the security issues discovered in the review and the code in the existing package. If you make other revisions, such as functionality changes, we require that the revised solution go through an initial security review. That’s also the case if you spin up a new package for the revised code.

If the package ID and namespace don’t change, your resubmission qualifies for a follow-up review.

Important

After you fix the solution, collect the materials necessary for us to complete a follow-up review. Rerun the required scanner tools on your revised solution and generate updated scan reports. If you fixed issues in your managed package, provide updated Source Scanner results. If you fixed issues detected on an external endpoint, provide updated ZAP or Chimera scan reports. If applicable, document your responses to false positives.

For more details about what to submit, see Required Materials for Security Review Submission.

The process to request a follow-up review depends on the scope of changes.

  • New Package Version—You fixed code that runs on the Salesforce platform. Create and upload a new version of your managed package to your AppExchange listing. Then start a review for the new version. If you also made changes external to the package, include details with your submission.
  • External Code or API-Only Solution—You changed only the code that runs externally to Salesforce. Edit your existing security review submission. Provide details about the changes. To alert Product Security that you’re resubmitting your solution, log a support case in the Salesforce Partner Community. For product, specify Partner Community & AppExchange. For topic, specify Security Review. Include your package name, ID, and version in the comments.