FAQ-000528 - Custom Settings and Configuration Security / Security Review and Compliance

To handle false positive claims about information disclosure in protected custom settings, ensure your justification is comprehensive and includes all relevant details. If sensitive data is stored in protected custom settings, confirm that the data is encrypted and access is appropriately restricted. Document your reasoning in a false positive report, clearly explaining why the issue isn't exploitable or doesn't pose a security risk. Submit the false positive document for review to ensure it aligns with security standards.

The original answer is technically accurate and contains solid guidance about handling false positives in security reviews. The only improvement needed is a minor wording change from 'is not exploitable' to 'isn't exploitable' to align with the conversational tone guidelines that recommend using contractions. This makes the text sound more natural and approachable while maintaining all the technical accuracy and completeness of the original content. No security rules were selected because this FAQ is specifically about the process of documenting and handling false positives during security review, rather than about preventing or detecting specific security vulnerabilities. The available security rules focus on detecting actual security issues (like SOQL injection, CSRF, XSS, etc.), while this FAQ addresses the administrative/documentation process when those automated checks produce false alerts. The content deals with review procedures and documentation practices rather than code-level security enforcement that the scanner rules would detect.