Periodic Security Re-Reviews on AppExchange

To help safeguard against the latest vulnerabilities, we conduct periodic security re-reviews of AppExchange solutions. These reviews are similar in scope to an initial security review, and they include automated and manual testing. You can voluntarily request a re-review of your solution, or in certain instances we notify you that your solution requires a re-review. In both cases, security review fees apply.

When you upgrade a managed package version of a solution that passed security review, you don’t go through the full review process again. You can immediately associate the new version to your AppExchange listing.

To identify which listed solutions are due for re-review, we consider potential risk and the amount of time since the solution was listed. To determine potential risk, we run risk-factor reports. If your solution shows significant change, it’s likely that we require a re-review. However, a low risk factor can mean that your solution isn’t flagged for re-review.

If we determine that a re-review is required, we send an email notification to the security review contact listed on the Company Info page of the AppExchange Partner Console. We also update the security review value in the Partner Console. In the Security Review area (1) on the Solutions page, when a solution version passes review, the value is set to Passed (2) and the Listing Readiness value is set to Ready to List (3). When a re-review is required, the security review value is changed to Start Review (4).

A sample solution with two versions and callouts in the Listing Readiness and Security Review columns

Even if a re-review isn't required, you can voluntarily request one. A voluntary review is an option if the solution version's security review status is Request Re-Review. One reason to voluntarily request a re-review is to show a more recent reviewed version and date (1) on your AppExchange listing.

The details tab of an AppExchange listing with a callout around the last reviewed version and date of the solution associated with the listing

If your solution doesn't pass the re-review because we find that it no longer meets our security standards, we also notify you by sending an email to the security review contact listed on the Company Info page of the AppExchange Partner Console. We provide a timeline for you to remedy the issues, typically 60 days. In extreme cases, we pull the AppExchange listing from public viewing. Before you can relist it for distribution, you must fix the security issues and submit it for a follow-up review.