FAQ-001505 - Post-Approval Security Management / Post-Approval Vulnerability Management

If a partner discovers vulnerabilities after an app is approved, the security review process requires the following steps: 1. Revise the solution to fix the identified vulnerabilities. 2. Provide updated scan reports, such as Source Scanner results or Dynamic Application Security Test (DAST) reports, depending on the vulnerabilities. 3. Document any false positives in detail and include them in the submission. 4. Submit the revised solution through the AppExchange Partner Console. 5. Be aware that applicable fees for the follow-up review will apply. This process ensures that all vulnerabilities are addressed to maintain the app's security.

The FAQ content is accurate and well-structured. The main improvement made was removing the casual closing phrase 'Let me know if you need further clarification!' which doesn't align with the professional tone expected for official AppExchange security review documentation. This creates a more consistent, authoritative tone appropriate for security compliance guidance. Regarding security rules, none of the available rules directly apply to this FAQ's content. The FAQ discusses the administrative process for handling post-approval vulnerabilities - the procedural steps partners must follow when they discover security issues after approval. The available security rules are technical scanning rules that identify specific code vulnerabilities (like ApexSOQLInjection, ApexCRUDViolation, etc.) or configuration issues, but they don't relate to the post-approval remediation process itself. While these technical rules might detect the types of vulnerabilities that would trigger this process, the FAQ is about the remediation workflow rather than the technical security issues themselves.