Cost Questions Answered: Salesforce AppExchange Security Review Fees FAQs
Q. What is the Salesforce AppExchange security review fee?
The Salesforce AppExchange security review process ensures your app meets the platform's high-security standards. While the system has recently changed, here's a breakdown of the current fee structure:
Initial Security Review:
Paid Apps: A one-time fee of $999 applies to all paid app submissions. This fee covers the initial security review.
Free Apps: Currently, there is no fee for security reviews of free apps. However, it's essential to understand that they still require successful completion of the review process.
Additional Considerations: For paid apps, the same fee is incurred for Periodic re-reviews based on significant changes or time lapsed from the last security review.
Failing a Salesforce security team review during an initial or periodic re-review costs the same $999 fee as paid apps.
For the latest fee information, always refer to this Quip.
Q. What is periodic re-review, and what is its fee applicability?
Salesforce charges the same $999 fee for paid apps in case they are due for a periodic re-review; after your app is approved and listed, Salesforce runs risk factors reports on AppExchange Apps; it helps them flag apps due for periodic re-reviews based on:
Time elapsed since the last review(could be six months to two years).
Potential risk based on any significant changes made in the app(this is a huge factor).
Learn more from the ISV Force guide’s Periodic Security Re-Reviews on the AppExchange chapter.
Q. Is a repeated payment of the $999 fee necessary for apps failing the AppExchange security review?
Two possibilities here:
No code changes; only justification is needed for FALSE positives: It requires a Salesforce security review with no additional charges.
Code changes are required based on FALSE positives and TRUE positives: It needs a security review, and a standard fee of $999 will be applicable for paid apps only.
Q. Are Salesforce ISVs required to submit updated versions of their apps for a new AppExchange security review?
After March 16, 2023, Salesforce AppExchange security review submissions are MOSTLY not required for updated package versions after a package passes a manual review. To update a listing with the latest version of an approved package, associate the updated version of the listing.
Please note that when launching a new version of your existing app:
There is an auto-approved review, where ISV has to go through a self-approval wizard.
Salesforce expects ISV to ensure the required due diligence and compliance with various security aspects.
After completing the self-review wizard, a given app’s version is automatically whitelisted as PASSED from a security review standpoint.
This process is completed in a few minutes, and the app version can be published on the given public AppExchange listing.
However, after some time, based on the significance of metadata/code change and time since the last review, Salesforce might flag the application for a periodic re-review.
Salesforce reserves the right to pull a public/live app from the AppExchange listing if it finds critical security issues not addressed within a reasonable timeframe.
Here are some resources for further information:
ISV Force guide’s chapter about Periodic Security Re-Reviews on AppExchange.
Salesforce AppExchange Security Review Guide: https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/security_review_overview.htm
Salesforce Security Trust Program: https://trust.salesforce.com/
Want to submit your managed packages, Salesforce API solutions, and Marketing Cloud API solutions for security review? Read this> AppExchange Security Review Wizard.
Q. Is there an AppExchange Security Review fee for updating an application to a new version?
No, you won’t be charged any fees to submit new application versions unless Salesforce detects a significant change in metadata or a significant time is lapsed since the last review.
Learn more about significant changes and periodic re-reviews in the ISV Force guide’s chapter about Periodic Security Re-Reviews on AppExchange.
Summary
By understanding AppExchange Security Review costs upfront, you can make informed decisions about listing your app on the AppExchange. To ensure, you pass the security review process in your first few attempts, consider onboarding experts during Salesforce implementation, preparation, or post-implementation stages and adopt their suggestions during various development phases.
Have further questions? Don't hesitate to drop a message via the form below.