Periodic Security Re-Reviews on AppExchange
When you upgrade a managed package version of a solution that passed security review, you don’t go through the full review process again. You can immediately associate the new version to your AppExchange listing.
To identify which listed solutions are due for re-review, we consider potential risk and the amount of time since the solution was listed. To determine potential risk, we run risk-factor reports. If your solution shows significant change, it’s likely that we require a re-review. However, a low risk factor can mean that your solution isn’t flagged for re-review.
If we determine that a re-review is required, we send an email notification to the security review contact listed on the Company Info page of the AppExchange Partner Console. We also update the security review value in the Partner Console. In the Security Review area (1) on the Solutions page, when a solution version passes review, the value is set to Passed (2) and the Listing Readiness value is set to Ready to List (3). When a re-review is required, the security review value is changed to Start Review (4).

Even if a re-review isn't required, you can voluntarily request one. A voluntary review is an option if the solution version's security review status is Request Re-Review. One reason to voluntarily request a re-review is to show a more recent reviewed version and date (1) on your AppExchange listing.
If your solution doesn't pass the re-review because we find that it no longer meets our security standards, we also notify you by sending an email to the security review contact listed on the Company Info page of the AppExchange Partner Console. We provide a timeline for you to remedy the issues, typically 60 days. In extreme cases, we pull the AppExchange listing from public viewing. Before you can relist it for distribution, you must fix the security issues and submit it for a follow-up review.