There is a lot of documentation on various aspects of the Salesforce ISV publishing process, but we realised that there wasn’t a simple list that called out all tasks across the product, engineering and commercial aspects of the process. To that end, the below will serve as exactly that hopefully making your publishing journey a little clearer.
I’ve also noted who should be responsible for driving each task.
Phase 1 — Code & Contracts
- Build an awesome app, wrap it in a managed package — ISV
- Create your package listing in the Partner Portal — ISV
- Complete the business plan section of your package listing — ISV
- Technical review meeting — Salesforce & ISV
- Business plan approval — Salesforce
- Sign-off a partner agreement — ISV & Salesforce (this can be done at any time before submitting your app for security review)
Phase 2 — Security & Documentation
- Prepare your managed package for review — ISV
- Perform various security scans:
- Checkmarx — your ISV app
- Chimera — any external to Salesforce application that you control
- ZAP — any 3rd party application components you don’t own
3. Prepare application documentation — ISV
- Key user flows
- Technical architecture
- Security exceptions AKA false positives that you can justify
Phase 3 — Let’s do this Thang
- Book an office hours meeting with the security review team
- Set up test environments for SF team — ISV
- Pay security review fee — ISV
- Complete security review wizard — ISV
- Submit for review, wait a few weeks — SF & ISV
- If you fail, review issues and fix. Open a case with Salesforce once done for the re-review — ISV
- If you pass, complete AppExchange listing and publish!
I hope that helps, best of luck 🖖🏼
We’re hiring! If you’re a Salesforce Developer that would like work alongside two Certified Technical Architects please have a look here.