Feedback About Your Completed Review

There are two possible AppExchange security review outcomes. Either your solution passed or it didn’t. In either case, the feedback section contains tips for what to do next.

If your solution passed, congratulations! You’re one step closer to publicly listing your solution on AppExchange. If your solution didn’t pass, it means the Product Security team detected security issues in your solution. You can’t list the solution on AppExchange or distribute it to customers yet. Go to the Overview page and download your review report. It lists the types of security issues and vulnerabilities that we detected but not every instance.

If you agree that an issue in the report is a valid vulnerability, remediate your solution. If you believe that an issue doesn’t pose a security risk, document it as a false positive.

Address every issue, then:

  • If you remediated your solution and there are no false positives, start a new review from the Solutions page. After you enter all the required info, request a follow-up review. For API solution types, you must create another solution for the follow-up review. There’s a fee to retest a remediated solution.
  • If you remediated your solution and there are false positives, start a new review from the Solutions page. Enter all the required information and upload a false-positives report. Then, request a follow-up review. For API solution types, you must create another solution for the follow-up review. There’s a fee to retest a remediated solution
  • If you only documented false positives, go to the Overview page in the security review wizard, upload a false-positives report, and resubmit the same review. There’s no fee for us to evaluate a false-positives report.

If you have additional questions or concerns, book a technical office hours appointment so that Product Security can work with you on your resubmission.