ISVforce Guide

ISVforce Guide: Build and Distribute AppExchange Solutions
Get Ready to Distribute on AppExchange
Use Managed Packages to Develop Your AppExchange Solution
Manage Orgs with Environment Hub
Architectural Considerations for Group and Professional Editions
Security Requirements for AppExchange Partners and Solutions
Pass the AppExchange Security Review
Prepare for the AppExchange Security Review
Manage Your Security Reviews
Start an AppExchange Security Review
Edit Your AppExchange Security Review Before You Submit
Submit Your Solution for AppExchange Security Review
Update Your Returned AppExchange Security Review
Check the Status of Your AppExchange Security Review
Ask Us to Take A Second Look at Our Submission Verification Feedback
Download Your AppExchange Security Review Report
Resubmit a Returned Security Review Where All Issues Are False Positives
Resubmit a Failed Security Review Where All Issues Are False Positives
Expired AppExchange Security Review
Troubleshoot an Expired Security Review
Act on Security Review Results
Submit Your Solution for a Follow-Up AppExchange Security Review
Request a Follow-Up Security Review for a New Package Version
Request a Follow-Up Security Review for an API-Only Solution with Revised Code
Request a Follow-Up Security Review for a Managed Package with Revised Code and False Positives
Request a Follow-Up Security Review for an API Solution with Revised Code and False Positives
List Your Solution on AppExchange
Periodic Security Re-Reviews on AppExchange
Manage Your AppExchange Listings
Sell on AppExchange with Checkout
Report Orders to Salesforce with the Channel Order App
Provide Free Trials of Your AppExchange Solution
OEM User License Guide
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Submit Your Solution for a Follow-Up AppExchange Security Review

The security review of your solution is complete, but our security team found security vulnerabilities. Your solution isn’t approved for distribution on AppExchange. It’s not the result that you hoped for, but you’re in good company. Many solutions don’t pass on the first try. Fix the vulnerabilities, and submit your solution for a follow-up review.

The security review report lists the types of security vulnerabilities that Product Security found. For each vulnerability type, the report includes:

  • A specific example from your solution
  • Steps to reproduce the issue
  • Links to documentation or comments about how to fix the issue

Our goal is to find as many different types of vulnerabilities as possible, but keep in mind that the security review is a black-box, time-limited process. We can’t always list every instance of a security vulnerability, and it’s possible that we don’t initially detect all issue types. Interpret the security review findings as representative examples of the types of issues you must fix. Unless otherwise noted in the report, you’re required to fix all classes of issues across the entire solution.

We’re available to help you analyze the findings and troubleshoot security vulnerabilities. Schedule a technical office hours appointment on the Partner Security Portal.

As you revise your solution, fix only the security issues discovered in the review and the code in the existing package. If you make other revisions, such as functionality changes, we require that the revised solution goes through an initial security review. That’s also the case if you spin up a new package for the revised code.

If the package ID and namespace don’t change, your resubmission qualifies for a follow-up review.

Important

After you fix the solution, collect the materials necessary for us to complete a follow-up review. Rerun the required scanner tools on your revised solution and generate updated scan reports. If you fixed issues in your managed package, provide updated Source Scanner results. If you fixed issues detected on an external endpoint, provide updated Dynamic Application Security Test (DAST) scan reports. If applicable, document your responses to false positives.

For more details about what to submit, see Required Materials for Security Review Submission.