Slack App Security Review

Slack wants to help you (our developers) create secure applications and integrations. To help with this, we've created a Security Review program for our App Directory Applications.

Your Application can be composed of multiple components:

  • A web server that Slack reaches out to
  • A service that reaches out to Slack
  • Mobile applications that your application offers
  • Servers that access Slack and process data

As part of our security review process, we will assess the security of all parts of your infrastructure that are required to make the core functionality of your offering work in its intended manner (both the Slack parts, and yours). If a customer using your app can type something in your systems, and it can end up in Slack, or vice-versa, we need to take a look at your offering.

We will perform the following on the applicable parts of your application:

  • Automated web application security scanning
  • Automated network security scanning
  • Manual verification of proper authentication scope requests to ensure least-privilege design
  • Manual testing of functionality for security vulnerabilities and misuse
  • Manual architecture review of your application
  • Ask you follow-up questions about functionality

Things to consider while building your application:

What we need from you:

  • An architecture diagram detailing how your application is composed. This includes any services that you operate that interact with Slack, including servers, databases, and third-party integrations that are required for your offering to function.
  • Your application must be "feature-complete" and function as your final product will function once on the App Directory. If your application materially changes, we reserve the right to re-review your application and delist it if it does not pass another security review.
  • Security Review Contact
    • If we need to contact you during a test, we need a reliable email address and phone number
  • An explanation for the access scopes your application requires to function, and the reason for each one
  • A sample use case of your application functioning correctly
    • If you have lots of buttons and options, please tell us how to click them correctly, so we can focus on testing your application! Screenshots are especially helpful.
  • A brand new Slack test workspace with your application already installed and configured, along with two test accounts
    • Admin test account
    • Normal user test account
  • If you have a web application component (something that Slack reaches out to, or a customer goes to, in order to operate the Slack integration)
    • Testing Account(s), with login information
      • If your application has a permissions model (admin, non-admin, etc...), we will need a testing account for each
    • Test environment populated with some test data
      • In order to get back to you as quickly as possible, please provide some test data (enough to demonstrate core functionality of your application) so our testers can spend more time assessing your application, and less time making up funny test names
    • Any web application firewalls need to be disabled so our team can test your application
      • We can provide your team with testing IP addresses to whitelist if you have a device like this
  • If you have a mobile application that can access parts of the Slack integration (or the data that is reflected in the Slack integration)
    • Links to the production version of your application on the following app stores
      • App Store
      • Google Play
      • Windows Store
    • Test credentials

Review Process

Once you submit your application for Security Review, our team will work to review your application in the order it comes in, and will give you a result of:

  • ✅ Pass
    • Your application passed our security review! You are free to publish your application on our App Directory.
      • Our security team will re-visit your application periodically to ensure that it remains secure.
  • ❌ Fail
    • Your application contains one or more vulnerabilities that need to be fixed before we can approve your application.
    • Your application contains logic that goes against our terms of service, privacy policy, or developer program rules.

If you receive a status of ❌ Fail, you must remediate the issues our team raises, and resubmit your application for another security review to proceed further. We will provide you with a report along with our reasoning for issues, reproduction steps, and links to additional resources to help you remediate the issues.

Review Notes

The Slack Application Security Review is not a certification, or proof of a secure application. Additional vulnerabilities may exist after a review, and we may revisit your application in the future to re-evaluate the security of your offering.

During our testing we will raise any issues we find with you, and will need your help to remediate any outstanding issues before getting an approval to offer your application in our App Directory.

Due to the nature of testing multiple applications simultaneously, we cannot inform you of when we will be testing your application.