All apps submitted for publication on the Zoom App Marketplace undergo a dedicated review process before they can be made available for public installation. Once an app has been submitted, the Zoom Marketplace team will conduct the review independently and work with the developer on any additional requirements.
Review time varies by app based on app quality, usability, quantity and function of features, and metadata quality (descriptive content). Testing time is typically the shortest for apps with properly defined scopes and quality metadata. Conversely, apps with heavy feature requirements, poor usability, or sub-standard metadata content can require a lengthy review process.
During Submission Review, the Publishable URL can be used to directly distribute the app to users on the developer’s account; however, the app will not be discoverable in the Marketplace until it has been approved.
When an app has been approved, the Zoom Marketplace team will notify the developer of successful approval and public availability of the app.
Note: Submission Reviews are only required for Public apps available for any Zoom user to install. Private apps do not require Submission Review.
Functional and Usability Testing
After submission, all apps undergo functional and usability testing to check for user experience issues and technical errors as well as for functional or business logic issues. During functional and usability testing, apps are reviewed for the following criteria:
- Installation / Uninstallation process
- User sign-up process
- Configuration settings
- User Experience; ease of use
- Available Support, Documentation, Feedback options
- App Deauthorization is clear and adheres with Data Compliance requirements.
All Zoom Marketplace apps are also subjected to a security test encompassing a multi-step security audit and penetration test intended to maintain customer security and resilience of the ecosystem as a whole. Submissions for security tests are handled in a rolling queue and will be scheduled with app developers to allow for system preparation.
The security review uses the black-box methodology in which little or no information regarding the application is provided to the tester (in this case the Zoom Marketplace). This type of testing is used to provide a realistic approach and more accurate results.
Penetration tests simulate a real third-party attack, making it essential to communicate with hosting providers before engaging in a penetration test. If an app is hosted by a third-party provider, prior authorization is required to conduct a penetration test.
Security testing is handled in four phases:
- Planning - Discovery Phase
Reconnaissance and Open Source Intelligence (OSINT) for the hosting web server and web application under test.
Configuration Check including a check for encryption, cipher suite, certificate validations, etc.
- Assessment - Evaluation Phase
Authentication & Authorization for User Identity Management and Access Controls
Input Validation testing for common web application security vulnerabilities such as SQLi, XSS, XML, etc.
Application abuse and business logic.
- Analysis and Reporting - Findings and Report Development
- Project Close-Out - Final Report Delivery & Follow-up
Following a security test, a Security Report will be presented to the app developer providing a full narrative and supporting documentation. This report will include recommendations and references to assist with properly implementing security requirements for the app. Findings of the Security Report are categorized by severity. The application will be revisited for an audit after thirty days to confirm requirements have been fixed.
The Zoom Marketplace team may utilize a third-party for security analysis and penetration testing. If necessary, Zoom may put this third-party in contact with developers through the email provided at submission.
Disclaimer: Security Tests are not meant to be exhaustive Security/Penetration testing of an application as performed by a third-party assessor. These tests are performed out of courtesy to honor and ensure Zoom customer data security and hence these tests and findings are only limited to assess the risk of our Customer Data. This report is not to be used (in any direct/indirect form) to market this app as security tested and certified by Zoom. While the results of this test will provide a reasonably accurate view of the current security level of the tested app, Zoom cannot be held responsible if the security test fails to discover certain security or configuration issues of the app.
If an app does not meet the quality standards checks required for Marketplace publication, the Marketplace team will deny the request. Even though a submission may be denied, the Zoom Marketplace team will work directly with developers to assist in resubmitting the app and address requirements to pass submission.
For additional information on submission requirements, reference the Submission Checklist or reach out directly to email@example.com