FAQ-000790 - External Content and Iframe Security / External Service Integration Security

To report a potential false positive for an iframe-related vulnerability in the AppExchange Security Review, document the issue as a false positive and include an explanatory document in your submission. This document should detail why the flagged issue doesn't pose a security risk, referencing the specific context and functionality of your solution. Upload this false-positive document through the security review wizard in the AppExchange Partner Console when resubmitting your solution.

The FAQ content is accurate and covers the correct process for reporting false positives. I made minor improvements to enhance clarity and flow: (1) Added "in the AppExchange Security Review" to the first sentence for clarity, (2) Changed "does not pose" to "doesn't pose" for a more conversational tone per the brand guidelines, and (3) Removed redundant "your" before "solution" in the final sentence to improve conciseness. No security rules were identified as directly related because this FAQ addresses the administrative process of reporting false positives rather than discussing specific technical security vulnerabilities that would be detected by scanner rules. The available security rules focus on detecting actual code-level security issues (like XSS, SOQL injection, CRUD violations, etc.), while this FAQ covers the procedural aspect of disputing scanner findings through documentation and resubmission processes.