Before being listed as a paid app, I need to complete the AppExchange security review process. This is a
I fill out a questionnaire with obvious risk vector questions (do I load material from servers outside of force.com? do I store user credentials outside of force.com?) and hit submit. Then I get this long-winded, overwritten explanation of how they have put my package through a heuristic threat detector, and a report about everything it found wrong. And they also say they'll be in touch within 2 days.
So have I failed the review? Can I appeal what the automated heuristics (notorious for false positive results) reported? What happens in 2 days?
How about telling me what I need to do next Salesforce?
(edited 18 Oct 2010 with clarification re: age of process)