Documents not required are requested in Functional Review

We created an Account-level-app and sent a request to review.
We answered No to the question “Do you have a secure software development process (SSDLC)?”, but request is declined on the reason below.

Thank you for providing us with the completed Technical Design section and supporting evidence. Unfortunately, the App has failed our Security and Privacy Compliance Review. We are unable to approve the app in its current state as the evidence that was submitted is not supporting enough for approval. In reviewing the content and information you shared, the TDD submission indicated that you have a Secure SDLC process, conduct vulnerability scans (SAST/DAST), and perform ongoing pen testing for your application. However, the SSDLC evidence uploaded doesn’t fulfill our requirement for a formal SSDLC and SAST/DAST evidence. The proof of SSDLC must incorporate your entire development process from requirements to production and be widely acknowledged by your team. For the SAST/DAST, screenshots of the scans output will suffice. And for the third party pentest, we expect to see the report from the vendor (cover page and overall findings summary will work). Also, per our policies the app cannot be reviewed without the English translation of your evidence. Please resubmit the evidence with its English translation and we can continue to review your application. Thank you for choosing Zoom! Please let us know if you have any questions.

Why are we being asked to submit SSDLC evidence?
We can provide ID if needed.

Thank you.

Looking to discuss the use of apps integrations on the Marketplace?
Join the Zoom user community conversation at

Hello @daiki.murakami

There is a bit of confusion here, but this sounds more like you submitted your app for an Authorization URL request and it was rejected, The requirements for the Authorization URL are different than the requirements for Publishing on the marketplace. If you want further clarification please go ahead and email the security team and include your App Name and Production Client ID so they can idenity the application.

Regards, Kwaku

Hello @kwaku.nyante

Thank you for your response.
I thought Authorization URL is necessary to publish on the marketplace.
I’ll try to publish our app.

This topic was automatically closed after 30 days. New replies are no longer allowed.