+ Start a Discussion
Nakul ChaudhariNakul Chaudhari 

Salesforce periodic security review process

I have a Salesforce App which passed security review for the first time in the last year. This App also includes integration with external web application, due to this I also submitted a BURP scan report of the external web application. I am not sure about how Salesforce conducts periodic security review and have some queries.

As you may know, Salesforce provides periodic, point-in-time review at an interval determined by salesforce.com (typically anywhere between 6 months to 2 years).

• As per Salesforce documentation for already passed Apps, around the expiry date, Salesforce contacts partners to arrange another review. Can you guide me on how much time Salesforce gives us to prepare for Security Review?

• BURP scan and fixing the issues reported by it can take time. If I could not submit a clean BURP scan report within the time frame provided by Salesforce, Does Salesforce remove package from AppExchange?

• Salesforce charges for Security Review process for paid Apps, as one-time upfront fee, and a small subsequent annual fee. Can you guide me on how much subsequent annual fee Salesforce charges to partners? Salesforce also charges annual listing fee of $150 USD. Is that correct?

Kindly help me with this. Thanks in advance.
Amit Chaudhary 8Amit Chaudhary 8
Please check below post. I hope that will help you
1) https://developer.salesforce.com/page/Security_Review

Q: If I update my application, do I need to pay the security review fee again to have it reviewed?
A: No. Security review is a periodic, point-in-time review at an interval determined by salesforce.com (typically anywhere between 6 months to 2 years). When you upload a new package version to the AppExchange and attempt to associate it with your listing, we automatically run a source code analysis against your Force.com code to identify potential security vulnerabilities. If issues are identified, you will receive a report via email and will be requested to address issues immediately.

We reserve the right to conduct random security penetration tests on your application throughout the year. This is covered within the listing fee that you pay annually and there is no extra charge. However, if we find that you have deviated from our security standards and best practices we may remove your application from the AppExchange.

Please raise this question on partner community. I hope  you will get you soon
 
Nakul ChaudhariNakul Chaudhari
Hi Amit,

Thanks for your reply.
I have already gone though that link and I have some queries which are listed in the question.

Here what I found,
Q: Is there a fee?
A: There is a one-time upfront fee, and a small subsequent annual fee for this process. The initial Security Review fee is $2,700 USD for each paid app submitted (no fee for free apps). This includes the annual listing fee of $150 USD for the first year. If you have questions, speak with your ISV Account Executive about Security Review fees.

In this case, can you help me?