When a company submits their application for Salesforce Security Review there is often a need to provide documentation. There is a lot of information on the process and security scans here (https://developer.salesforce.com/page/Security_Review) but this doesn't have any templates or documentation standards a submission should follow for their application.
This is a sample of a template I have used when submitting to Salesforce Security Review that I have found helpful. I have gone through Salesforce Security Review more than 10 times for large OEM managed packages with hundreds of thousands of lines of code. I have found that the more information you can give the security engineers when they review your application the more successful you will be in passing your security review. Performing this documentation as part of your SDLC also helps bake this into your engineering processes, ensuring future reviews are successful.
Here is the sample template for a fake application with some simple data points. For a true enterprise class application this can be a rather lengthy but important document.
Security Review Considerations and False Positives Template
Want to learn more? Join my engineering organization! I'm looking for new talent to mentor in multiple engineering roles! http://www.fusionrm.com/careers