Acting on Review results

Part 8 Security Review and Publishing AppExchange Applications

The security review process improves the quality of your product and increases your chances of a successful launch. The main reasons why an application might fail a security review can be found here.

  • Approved: Now you can list your offering publicly on the AppExchange and distribute it to customers.
  • Provisionally approved: Medium and/or low-risk issues have been identified. You will be given a mutually acceptable timeline to address these issues (usually 60-90 days). In the meanwhile, you will be allowed to list your application on AppExchange Security Review Results. If the issues are not addressed within the given timeline, the app may be removed from AppExchange
  • Not approved: Critical and/or high-risk issues have been identified. You get this feedback as a report that lists the vulnerabilities that the security team found. The email you receive also has detailed instructions on how to fix these vulnerabilities.


As you fix the vulnerabilities, don’t forget to reuse scanners and adversarial testing on your product, just as you did before the review. They help prevent new vulnerabilities from sneaking into your code.

Using the AppExchange and the License Management Application (LMA), you can sell, renew and manage user-based licenses to the app and set default license settings. For example, you can license your app as a free trial that expires after a specified number of days. reserves the right to conduct random on-site and off-site tests on published offerings. If during these tests, Salesforce finds that the offering has deviated from any of the requirements, you will be notified and provided a timeframe to remedy the issue. In extreme cases, the AppExchange listing may be pulled from public viewing.

Press and Publicity

While you are waiting for the security review results, you can prepare your project’s listing. This is where you will describe your app’s features, supported devices, licensing options and provide interesting descriptions to boost installs.

Once your listing is published, use your preferred social media to advertise your work and monitor some analytics such as the number of installs in the Publisher Console. You will also want to monitor user feedback as they post reviews, request additional information or declare bugs.


Post a Comment

Sign Up For Email Updates