UpGuard Release Notes

Learn about new features, changes, and improvements to UpGuard.
December 2024
NIS 2 supplier due diligence questionnaire

NIS 2 supplier due diligence questionnaire

Toby Roger
Toby Roger
December 6, 2024

We've introduced a new security questionnaire to help assess an organization’s security controls in line with the supplier risk management requirements of the NIS 2 Directive. This questionnaire integrates and expands on the controls from ISO 27001:2022 and NIST CSF 2.0, addressing the alignment with international standards and key components of NIS 2 supplier risk management requirements such as incident response, contractual safeguards, compliance with data protection laws and regulations, and cross-border data flows.

SIG Core and Lite questionnaires updated to 2025 versions

We've updated our SIG Core and SIG Lite questionnaires to the 2025 versions, incorporating the latest review and updates driven by industry standards and regulatory requirements for enhanced risk assessment.  You can also now choose which sections of the SIG questionnaires to send, removing unnecessary sections and streamline the vendor’s response.

Other improvements

  • We’ve added vulnerability detection for vulnerabilities in Palo Alto PAN-OS and FortiManager to our passive scanners, broadening our scanning capabilities for both Breachsight and Vendor Risk.
  • We’ve continued to expand our sources for News and Incidents.
November 2024
Expanded News and Incident coverage

Expanded News and Incident coverage

Toby Roger
Toby Roger
November 20, 2024

We’re continuing to enhance our News and Incidents feed to provide broader, more comprehensive insights into breaches and cyber incidents. The feed now pulls from five times as many sources, offering greater visibility into critical, officially disclosed events. This expanded coverage empowers you to stay informed and respond more quickly to emerging risks. Access the enhanced feed directly from your dashboard under News & Incidents, and leverage this improved data to protect your business with greater precision and confidence.

Get notified when an NDA is agreed to

Trust Exchange users can now get notified when an NDA is agreed to on their Trust Page, so you’ll know when a new organization has access. This notification can be configured in the Manage Notifications page. 

Other improvements

  • We've standardized the design of primary actions across the platform, which now all use our dark blue button for a more cohesive and consistent user experience.
  • This release includes a number of bug fixes.
November 2024
NIST AI Risk Management Framework (AI RMF) security questionnaire

NIST AI Risk Management Framework (AI RMF) security questionnaire

Toby Roger
Toby Roger
November 7, 2024

We’ve launched a new questionnaire designed to evaluate an organization's compliance with the NIST AI RMF. This security questionnaire offers a structured framework for effectively assessing the risks associated with AI systems. It covers the core functions of the NIST AI RMF—governing, mapping, measuring, and managing AI systems—ensuring that vendors uphold best practices in AI governance and operational management.

Expanded news and incident coverage

We’ve greatly enhanced our news and incident scanning capabilities, now delivering five times broader coverage to provide faster, high-impact insights. This empowers your security teams and SOC analysts to detect incidents affecting your organization or supply chain sooner, enabling proactive responses to mitigate risks early. With an expanded range of advanced data collectors, including official reports and government databases, we now offer a more comprehensive view of emerging threats to fortify your security posture.

Other improvements

  • This release includes small improvements to Trust Exchange, including a new home page for free users, and improvements to notifications. 
  • We’ve added product and version detection for the Roundcube email client to detect the following vulnerabilities:some text
    • CVE-2024-42008 - A cross-site scripting flaw via a malicious email attachment served with a dangerous Content-Type header
    • CVE-2024-42009 - A cross-site scripting flaw that arises from post-processing of sanitized HTML content
    • CVE-2024-42010 - An information disclosure flaw that stems from insufficient CSS filtering
  • This release includes a number of bug fixes.
October 2024
Enhanced Vendors view and export

Enhanced Vendors view and export

Toby Roger
Toby Roger
October 23, 2024

We’ve improved the Vendor list view and export to give you deeper insights into your vendor portfolio.

  • You can now see exactly when a vendor was added to your portfolio with a new optional column called ‘Date added’. This column can be sorted and filtered, and is included in the Excel export.
  • We’ve added an option to include Risk count by severity in the Excel export.

Other improvements

  • When uploading or editing documents, we’ve changed the ‘document type’ selection sort order to alphabetical, making it easier to find and select the right document type.
  • Several iterative updates for AI Autofill have been released, including an improvement to autofill sources and information messages. 
  • Trust Exchange’s questionnaire form has seen some improvements, including an aspect ratio bug fix, an improvement to the naming of questionnaires added to Trust Pages, and more.
  • This release includes a number of bug fixes.
October 2024
Invite colleagues to collaborate on security questionnaires

Invite colleagues to collaborate on security questionnaires

Toby Roger
Toby Roger
October 9, 2024

You can now invite colleagues from outside your security team to collaborate on questionnaires, providing business owners with visibility for vendor follow-ups and enabling input from contributors across departments. These users can view questionnaires, receive status updates, participate in reviews, and communicate internally through messages.

To learn more, see How to send security questionnaires in UpGuard Vendor Risk.

APRA CPS 230 questionnaire 

We’ve added a new security questionnaire to assess an organization’s adherence to the Australian Prudential Regulation Authority's (APRA) Prudential Standard CPS 230 Operational Risk Management. CPS 230 ensures that APRA-regulated entities effectively manage operational risks to maintain the resilience of critical operations. This questionnaire covers all APRA-regulated entities' requirements, including key principles, risk management framework, roles and responsibilities, operational risk management, business continuity, and service provider arrangements.

Product detection and scanning improvements

We’ve introduced new product detections in BreachSight and vulnerability detection across our platform:

  • CUPS product & version detection
  • CUPS CVE-2024-47176 vulnerability detection
  • GeoServer product & version detection
  • Apache OFBiz product detection

Other improvements

  • The SIG Lite questionnaire has been updated to make document upload requests conditional
  • This release includes a number of bug fixes
September 2024
Remediate risks faster with built-in guidance

Remediate risks faster with built-in guidance

Toby Roger
Toby Roger
September 25, 2024

We're making it easier to understand and explain web risks by introducing Risk Remediation Guidance to BreachSight and Vendor Risk. This update offers detailed explanations of each risk, its importance, and how to remediate it, enabling swift action even for non-technical users. With Risk Remediation Guidance, BreachSight users can act more decisively, resolving risks efficiently with clear instructions, while vendors gain deeper insights to better understand and mitigate risks.

Digital Operational Resilience Act (DORA) questionnaire

We’ve introduced a new questionnaire to assess an organization’s adherence to the Digital Operational Resilience Act in the EU. In effect from January 17 2025, DORA addresses gaps in EU financial regulation by requiring financial institutions to manage ICT-related risks and operational resilience alongside traditional capital allocation for risk management.

Introducing Vendor Snapshots

Vendor Snapshots (previously Instant Reports) allow you to view the external risks of an organization for 30 days without adding it to your monitored vendor list. It’s perfect for when you need a point-in-time view of a vendor's security posture, such as when assessing or comparing potential vendors as part of a due diligence process.

Improvements that have been implemented as part of this release:

  • Renamed feature to Vendor Snapshot to better reflect the functionality
  • Made it easier to convert a Vendor Snapshot to a monitored vendor including retaining a view of expired snapshots
  • Ability to include Vendor Snapshots in the vendor comparison tool and report
  • Inclusion of Vendor Snapshots in vendors page exports (Excel and PDF)
  • Changes to Vendor Snapshot entitlements: Enterprise plans will have unlimited Vendor Snapshots, Professional and Corporate plans will have a set number included, and all Vendor Risk plans will be eligible to purchase additional snapshots

To learn more see What is the difference between a Vendor Snapshot and a Monitored vendor?

Configuration Leak Detection

Our web scanner now detects client-side and server-side configuration leaks, enhancing protection against exposed API keys and configuration files. This update strengthens BreachSight and Vendor Risk by improving proactive risk detection for customers and their vendors.

Other improvements

  • Each page now has its own title tag, which makes it easier to differentiate between multiple tabs in your browser
  • This release includes a number of bug fixes
September 2024
Automatically answer questionnaires using a SOC 2 report, information security policy, or any other PDF

Automatically answer questionnaires using a SOC 2 report, information security policy, or any other PDF

Toby Roger
Toby Roger
September 11, 2024

Responding to security questionnaires is now easier than ever. You can import PDF documents (such as SOC 2 reports or security policies) in order to automatically populate security questionnaires with accurate suggestions, harnessing UpGuard’s AI to do the heavy lifting. This is available both for security questionnaires sent to you by other UpGuard users, and any external questionnaires you’ve imported into Trust Exchange. Learn more about AI Autofill

NIST CSF 2.0 questionnaire

We’ve added a NIST CSF 2.0 questionnaire for you to assess an organization's compliance with the standards in the NIST Cybersecurity Framework (CSF) 2.0. This questionnaire comprehensively maps to NIST's six functions, which cover governance, identification, protection, detection, response, and recovery, ensuring that organizations meet the necessary security controls and practices.

Other improvements

  • Expanded product detection in BreachSight for Cisco ASA
  • This release includes a number of bug fixes
August 2024
Send security questionnaires to vendors using the API

Send security questionnaires to vendors using the API

Toby Roger
Toby Roger
August 28, 2024

It's now possible to send and track questionnaires from your existing systems and workflows using the UpGuard API. Leverage the new send questionnaire endpoint to automate the initiation of your vendor assessment process and reduce the need for manual intervention. To learn more, see How to send a security questionnaire via the UpGuard API and refer to our API documentation.

Expanded automatic product detection

We’ve expanded BreachSight’s product detection capabilities to include over 130 additional commonly used products in addition to the tens of thousands we already detect. Among the new products we detect are OpenSSH, Postfix, Kerberos, and many more. Read more about our Detected Products capability.

New vulnerability detection

We’ve added detection for two ServiceNow vulnerabilities, CVE-2024-4879 (CVSS 9.8) and CVE-2024-5217 (CVSS 8.7), both of which are being actively exploited in the wild. With this update, our platform can now effectively detect these high-severity threats.

Other improvements

  • This release includes a number of bug fixes
August 2024
Expanded categorization of attack surface risks

Expanded categorization of attack surface risks

Toby Roger
Toby Roger
August 15, 2024

To deliver more accurate and actionable insights into your external risks, we’ve updated how we categorize risks detected on the external attack surface. Existing risk detections have been re-organized and expanded from five categories into ten. The new security domains are Encryption, DNS, Vulnerability Management, Attack Surface, and Data Leakage, which join the existing categories of Website, Email, Network, IP Reputation, and Brand and Reputation. We’ve also updated our scoring algorithm to better measure the level of risk associated with detected findings, and to reflect the risks that make up each category. 

Auto-generated commentary for the Board Summary PowerPoint report

We’ve added auto-generated commentary for each visualization in the Board Summary PowerPoint report, so you can generate a powerful presentation with key insights instantly. The commentary is fully editable so you can adjust it to suit your audience and add your own insights. To learn more see How to generate a Board Summary report.

Notification for undelivered questionnaire requests

To help improve tracking and management of your questionnaire requests, we’ve added detection and notification for when a questionnaire request fails to reach the recipient. The notification questionnaire email has failed to send will be switched on by default for all users. The failure event will also appear in your questionnaire timeline. 

Increased News & Incidents coverage for the US

We've enhanced our US coverage, capturing a broader and more accurate range of incidents to keep you better informed.

Other improvements

  • We’ve added the risk assessment report to the reports API. To learn more about requesting a report via the API see How to request a report via the UpGuard API.
  • We’ve increased the character limit of custom vendor attributes to 1,000. To learn more about defining and assigning custom vendor attributes see How to use custom vendor attributes.
  • Subscribers of the BreachSight digest will now see the Competitor Analysis included in the monthly email.
  • We’ve improved detection of Magento instances.
  • This release includes a number of bug fixes.
July 2024
New SIG 2024 and DPDP Act Questionnaires

New SIG 2024 and DPDP Act Questionnaires

Toby Roger
Toby Roger
July 31, 2024

SIG Core and SIG Lite 2024

We’ve introduced the Standard Information Gathering (SIG) Core questionnaire to our questionnaire library, and updated the SIG Lite questionnaire to the 2024 version. The SIG questionnaires provide a comprehensive framework for evaluating third-party cybersecurity across multiple domains, including data protection, regulatory compliance, and operational resilience. 

Digital Personal Data Protection Act (DPDP), 2023 questionnaire 

This release also introduces a questionnaire to evaluate an organization's compliance with India’s Digital Personal Data Protection Act, 2023. The DPDP Act is a legislative framework designed to protect the privacy of individuals' personal data by regulating its collection, processing, and storage by organizations in India.

Learn more about the security questionnaires available in UpGuard’s Library.

Export blank questionnaires 

We’ve added an Excel export for blank questionnaires. This is available from the questionnaire summary page, the questionnaire library, and the custom questionnaire builder to help with the review process when building new questionnaires.

Other improvements

  • This release includes a number of bug fixes.
July 2024
New multi-framework security questionnaire

New multi-framework security questionnaire

Toby Roger
Toby Roger
July 17, 2024

We’ve developed a Multi-Framework Security Questionnaire that comprehensively maps to both ISO 27001:2022 and NIST CSF 2.0, and it is now available to all customers in the questionnaire library. This dual-standard approach offers a holistic view of a third party’s security posture, ensures robust incident response and recovery plans, and demonstrates a commitment to high security standards. We're excited to roll out even more questionnaires covering global and local regulations in coming releases.

Detection of regreSSHion (CVE-2024-6387)

CVE-2024-6387 is a high-severity vulnerability in OpenSSH servers that, if exploited, facilitates Remote Code Execution with full root privileges (CVSS 8.1). This will raise a verified vulnerability and the high severity risk “Vulnerable to CVE-2024-6387 (OpenSSH regreSSHion Remote Code Execution)“.

Detection for polyfill.io inclusions 

Recently the polyfill.io domain has taken new ownership. This has presented a new supply chain risk because they host the CDN for the polyfill JavaScript package. This will raise a new informational risk called "Polyfill.io or Polyfill.com Discovered"

Summary page added for Subsidiaries

For BreachSight plans that include subsidiaries, we’ve added a Subsidiary Summary page to allow you to view the security posture of your subsidiaries in more detail, including category breakdowns and geolocation details. To learn more see What is the subsidiary summary page.

Other improvements

  • This release includes a number of bug fixes
July 2024
Customize notifications for critical vendor incidents and news

Customize notifications for critical vendor incidents and news

Toby Roger
Toby Roger
July 3, 2024

Being informed of critical vendor incidents and news is crucial. To help you prioritize your notifications, we’ve added the ability to create a new custom notification for incidents and news, with options to apply conditional logic including tiers, labels, portfolios and other attributes. This allows you to tailor your notifications to highlight the ones that matter most to you.

Learn more about custom notifications.

Other improvements

  • The Board Summary Report is now more customizable, with an option to show or hide competitor analysis from the overall security rating summary.
  • This release includes a number of usability improvements and bug fixes.
Deliver icon

Sign up for our newsletter

Stay up-to-date on everything UpGuard with our monthly newsletter, full of product updates, company highlights, free cybersecurity resources, and more.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating

Ready to see
UpGuard in action?