All apps submitted for publication on the Zoom App Marketplace undergo a dedicated review process before they can be made available for public installation. Once an app has been submitted, the Zoom Marketplace team will conduct the review independently and work with the developer on any additional requirements.
Review time varies by app based on app quality, usability, quantity and function of features, and metadata quality (descriptive content). Testing time is typically the shortest for apps with properly defined scopes and quality metadata. Conversely, apps with heavy feature requirements, poor usability, or sub-standard metadata content can require a lengthy review process.
During Submission Review, the Publishable URL can be used to directly distribute the app to users on the developer’s account; however, the app will not be discoverable in the Marketplace until it has been approved.
When an app has been approved, the Zoom Marketplace team will notify the developer of successful approval and public availability of the app.
Fill out this form prior to submitting your app so that you can assess your app in its current state. Once you complete the assessment, you will receive an email with a link to an auto-generated App Review Report highlighting existing issues and recommendations on how to resolve those issues.
Note: Submission Reviews are only required for Public apps available for any Zoom user to install. Private apps do not require Submission Review.
Functional and Usability Testing
After submission, all apps undergo functional and usability testing to check for user experience issues and technical errors as well as for functional or business logic issues. During functional and usability testing, apps are reviewed for the following criteria:
- Installation / Uninstallation process
- User sign-up process
- Configuration settings
- User Experience; ease of use
- Available Support, Documentation, Feedback options
- App Deauthorization is clear and adheres with Data Compliance requirements.
All Zoom Marketplace apps are subject to a security review encompassing a multi-step security audit intended to maintain customer security, integrity and resilience of the ecosystem as a whole.
Once you have submitted your app for review, prior to the publication of your app on the Zoom App Marketplace, the App Security team at Zoom will conduct the security review of your app.
The security review team may, in its discretion, communicate with you regarding changes that you might have to make in order for your app to pass the security review; provided, however, that the results of the security review are confidential and may not be shared with third parties without Zoom’s prior written consent. Your app will not be approved on the Zoom App Marketplace unless it passes the security review.
Security review is handled in four phases:
Security Assessment Questionnaire
The first step in the security review process is to download this security assessment, fill it out, and send the completed questionnaire to email@example.com.
This is a mandatory requirement and your app will be denied approval if we fail to receive this assessment.
Assessment - Evaluation Phase
After you have emailed the form, the Zoom App Marketplace team will focus on the assessment of the application and all accessible resources as it relates to the Zoom Marketplace integrations or applications. Zoom may perform remote application-level security testing, network-level security testing, and vulnerability threat assessments on your app. The test will consist of both manual testing and use of automated tools for the procedures listed below:
Authentication & Authorization for User Identity Management and Access Controls
Input Validation testing for common web application security vulnerabilities such as SQLi, XSS, XML, etc.
Application abuse and business logic.
The tests are NOT intrusive and will not affect App Functionality. We will not engage in any Load testing, intrusive penetration test, and/or DoS/DDoS.
Analysis and Reporting - Report Findings and Follow-up
The results and findings of the security review will be presented detailing the observations noted during this engagement with supporting documentation, recommendations and references to assist in implementing the necessary steps needed to secure the application.
It is expected that any critical security concerns, as identified by the security reviewer, be fixed promptly.
Project Close-Out - Final Report Delivery & Follow-up
In the event that your app passes the security review process, you will receive an email notification regarding the successful completion of the security review.
Note: We follow industry standard guidelines while performing the security reviews. To learn more about the basic security vulnerabilities that we test for, refer to the Open Web Application Security Project’s Top 10 Vulnerabilities guide.
Disclaimer: Security Reviews are not meant to be exhaustive security/penetration testing of an application. A security review by Zoom shall not be deemed a warranty or certification of your application. This report is not to be used (in any direct/indirect form) to market this app as security tested or certified by Zoom. While the results of this test will provide a reasonably accurate view of the current security level of the tested app, Zoom is not liable or responsible if the security review fails to discover security or configuration issues of the application.
If an app does not meet the standards required for Marketplace publication, the Marketplace team will deny the request for publication. Even though a submission may be denied, the Zoom Marketplace team may, in its discretion, work directly with developers to assist in re-submitting the application and address requirements to pass submission.