UpGuard Release Notes

We’ve developed a Multi-Framework Security Questionnaire that comprehensively maps to both ISO 27001:2022 and NIST CSF 2.0, and it is now available to all customers in the questionnaire library. This dual-standard approach offers a holistic view of a third party’s security posture, ensures robust incident response and recovery plans, and demonstrates a commitment to high security standards. We're excited to roll out even more questionnaires covering global and local regulations in coming releases.

Detection of regreSSHion (CVE-2024-6387)

CVE-2024-6387 is a high-severity vulnerability in OpenSSH servers that, if exploited, facilitates Remote Code Execution with full root privileges (CVSS 8.1). This will raise a verified vulnerability and the high severity risk “Vulnerable to CVE-2024-6387 (OpenSSH regreSSHion Remote Code Execution)“.

Detection for polyfill.io inclusions 

Recently the polyfill.io domain has taken new ownership. This has presented a new supply chain risk because they host the CDN for the polyfill JavaScript package. This will raise a new informational risk called "Polyfill.io or Polyfill.com Discovered"

Summary page added for Subsidiaries

For BreachSight plans that include subsidiaries, we’ve added a Subsidiary Summary page to allow you to view the security posture of your subsidiaries in more detail, including category breakdowns and geolocation details. To learn more see What is the subsidiary summary page.

Other improvements

• This release includes a number of bug fixes

Being informed of critical vendor incidents and news is crucial. To help you prioritize your notifications, we’ve added the ability to create a new custom notification for incidents and news, with options to apply conditional logic including tiers, labels, portfolios and other attributes. This allows you to tailor your notifications to highlight the ones that matter most to you.

Learn more about custom notifications.

Other improvements

• The Board Summary Report is now more customizable, with an option to show or hide competitor analysis from the overall security rating summary.
• This release includes a number of usability improvements and bug fixes.

Configure vulnerability notifications by CVSS severity

Effective vulnerability management hinges on prioritization. Responding swiftly to critical vulnerabilities is as crucial as efficiently scheduling patches for lower-severity issues. The thresholds for these actions depend on each organization's risk tolerance.

Our new custom notification feature for vulnerabilities helps you achieve these goals. Now, you can set notifications for newly detected vulnerabilities that meet or exceed a specified CVSS threshold. You can further customize these notifications with conditional logic based on label, vendor portfolio, or vendor tier.

Learn more about creating notifications for risks or vulnerabilities by severity.

Add manual risks to questionnaires

To help you capture additional risks identified through the questionnaire review process we’ve added the ability to add manual risks to a questionnaire.

Learn how and when to use manual risks in a questionnaire.

Allow users outside of UpGuard to request relationship questionnaires

Relationship questionnaires allow you to collect information about your organization's engagement with a vendor to help inform the appropriate level of assessment. With this enhancement, you can initiate a request for a relationship questionnaire via an API call. This allows non-users, such as business owners, to request relationship questionnaires from outside of the platform, streamlining procurement and vendor assessment processes.

Learn more about using the vendor relationship questionnaire and refer to our API documentation.

Other improvements

• This release also includes several minor improvements and bug fixes

Identity breaches now include a new attribute that indicates the source of the data, specifying whether it originated from a company's breach, a paste document, or an Infostealer malware infection. Additionally, breaches can be filtered by type, providing a focused view of how your users have been exposed through third-party breaches or malware.

Note: the Infostealer data feed is included for customers on the Professional plan, and can be added on for Starter and Basic plans.

Other improvements

• The Shared Profile has been renamed to Trust Page in the navigation and other areas. A Trust Page allows you to instantly share your security documentation with your customers.
• We’ve incorporated a new detection for CVE-2024-24919, a high-severity information disclosure vulnerability affecting Check Point Security Gateway devices, now recognized as a CISA Known Exploited Vulnerability.
• This release includes a number of bug fixes.

A new setting now allows you to control who in your business is a nominated approver of risk waivers in both BreachSight and Vendor Risk, and risk adjustments in Vendor Risk. You can:

• Mandate approval for risk waivers and risk adjustments
• Nominate specific users who can approve risk waivers and adjustments

You can configure these approval settings for BreachSight and Vendor Risk in the Settings page.

Other improvements

• Webhooks have been enhanced with the addition of a Questionnaire ID field.
• The Vendor Risk executive summary page now includes tiering information in the highest and lowest scored vendors tables.
• Vendor tier and vendor score are now available in the Vendor Risk portfolio risk profile and risk export.
• We’ve made the Vendors page Excel export more customizable by adding the option to only include fields that you have selected to display.
• We’ve added more detail to manually reduced risks in risk assessments and vendor reports including justification.
• This release includes a number of bug fixes.

Scale up your third-party risk management program and clear your backlog with our refreshed workflow for Managed Vendor Assessments. Engage our analyst team for expert assessment of your critical suppliers. Key features include:

• Faster turnaround: we analyze audit reports and security documentation to reduce dependency on vendors responding to lengthy questionnaires.
• Aligned to industry standards: our assessment encompasses controls for key security frameworks including ISO 27001:2022 and NIST Cybersecurity Framework (CSF) 2.0.
• Easy to understand report: clearly communicate risk to your stakeholders with the redesigned report featuring all risks, findings and recommendations mapped to key security domains and control groups.

Read more about Managed Vendor Assessments, or contact your UpGuard account representative to see a sample assessment.

Newly registered domains monitoring for Typosquatting

We’ve improved how we detect typosquatting by monitoring newly registered domains for more possible permutations of your domain name. This improvement will identify more potentially malicious domains, faster.

Improved filtering and risk visibility in questionnaire viewer

We’ve made some changes to the questionnaire viewer to help you and your vendors focus on areas that need attention:

• We’ve added a filter to the questionnaire detail view so you can easily navigate to raised risks, unanswered questions and autofilled responses.
• We’ve added a risk table to the questionnaire summary to help recipients identify and address risks.

Other improvements

• This release includes a number of bug fixes.

‍

The new version of our ServiceNow Vendor Risk integration is now available. You can add UpGuard as a Third Party Risk Score provider, and sync your monitored vendors within UpGuard with the vendors listed in ServiceNow.

The integration also allows you to view UpGuard vendor information in ServiceNow, including tiers, labels, domain counts, score and risk count by severity, as well as industry average score and score trend information. To learn more see How to set up ServiceNow Vendor Risk integration with UpGuard or access the integration from the ServiceNow Store.

Predictive scoring for vulnerability exploitation

To help improve the prioritization of vulnerabilities, we’ve integrated the Exploit Prediction Scoring System (EPSS) into UpGuard’s Vulnerabilities module. EPSS uses a machine learning model trained to determine the likelihood that a CVE will be exploited in the next 30 days. Comparisons with CVSS show that EPSS is about 10x more efficient at identifying which vulnerabilities will and will not be exploited, making the most of your security and IT teams’ finite resources. Learn more about EPSS and how to use it in UpGuard.

Other improvements

• Trust Exchange users can now save requested documents into their content library for re-use.
• Collaborating on imported questionnaires is now easier as you can add collaborators via the questionnaire details view.
• Imported questionnaires can now be published to the shared profile.
• This release also includes a number of bug fixes.

Your imported questionnaires can now be used as a source for AI Autofill, so each questionnaire you answer in UpGuard Trust Exchange makes your subsequent questionnaires more accurate, faster, and easier. We’ve also added the ability to archive and delete imported questionnaires, as well as see suggested documents from your content library in the questionnaire viewer. Try these features out for yourself by importing a questionnaire.

Improvement to Vendor Risk Executive Summary 

We’ve enhanced the monthly distribution of vendor risk ratings on the Executive Summary page, updating the graph to show 13 months of data (allowing for a full 12 month comparison period) and changed to a stacked bar graph to improve readability. These changes also extend to the Vendor Risk Executive Summary export, and the Board report. To learn more see What is in the UpGuard Vendor Risk Executive Summary Report?

Other improvements

• Added vulnerability detection for Openfire administration consoles.
• Added detections for potential subdomain takeovers for Heroku, Netlify, Vercel, and Github pages.
• This release also includes a number of bug fixes.

To help you keep on top of your vendor risk management, we’ve introduced the Vendor Risk digest, a monthly email highlighting key information related to your vendor portfolio in UpGuard. The email includes team activity such as risk assessments, remediations and questionnaires, and changes to vendor risk profile, highlighting key risk areas. 

All full-access users will receive the digest monthly by default. This can be configured in Manage Notifications.

New vulnerability detections added

We’ve added detections for Jenkins and TeamCity instances and any vulnerabilities associated with their respective product versions to protect against ongoing campaigns against CI/CD infrastructure. 

Added IP reputation data to Typosquatting

To help identify malicious domains impersonating your brand, we have enhanced the Typosquatting module to show whether those domains or IP addresses have been flagged by DNS blocklists. This information provides a strong signal that these similar domains are used by malicious actors. 

Infostealer malware alerts added to Identity Breaches

Employee credentials can be stolen when their devices are infected with malware. We’ve added the option for alerts for this kind of event to Identity Breaches, included with Professional, Corporate, and Enterprise plans. 

Other improvements

• We’ve added an Export to the Detected Products pages in BreachSight.
• To make it easier for you to tag and identify historical reports we’ve added the ability to re-name generated reports. To learn more see Reporting in UpGuard
• We’ve added more flexibility to user permissions, by adding the option for portfolio restricted users to have access to the questionnaire builder. This is controlled by setting permissions in the user settings and is set to off by default. 
• AI Autofill is now available on more questionnaire types. 
• Duplicate document detection has been added to the Content Library, to make it easier to manage your security documentation. 
• Shared Profile users can now add an “Other” category for their Trust & Security Pages. 
• We have updated our Platform Terms & Conditions and Subprocessors to better reflect the services we provide.
• This release also includes a number of bug fixes

We’re making it easier than ever to answer security questionnaires with UpGuard’s Trust Exchange. You can now import any security questionnaire in Excel format, along with past responses and other documentation, and use that information to populate the questionnaire with AI-driven suggestions. Save your responses for next time and export the questionnaire back to its original format.

The UpGuard Trust Exchange is free to use. BreachSight and Vendor Risk customers can invite your colleagues to start using the Trust Exchange without affecting your plan’s user limits. 

Other improvements

• You can now request additional report types through the API. In addition to the Vendor detail, Vendor summary and Board reports you can now request Custom vendor reports, as well as Risk profile, Vulnerability and Domain list exports. To learn more see  How to request a report via the UpGuard API. 
• To give you more flexibility to customize your communications when sharing reports we’ve added a new email template for Generated Reports. To learn more see How to set up templates in UpGuard.
• You can now store longer notes against your Vendors records, with a new character limit of 1000 characters (increased from 500 characters). 

To give you more flexibility when conducting risk assessments, we’ve added the ability to create multiple concurrent risk assessments for a single vendor. You can now add custom names and scope for each risk assessment, to correspond to the specific purpose and scope of each assessment, such as product or region-based risk assessments.

To learn more about vendor risk assessments and these changes see How to complete a risk assessment.

Introducing the UpGuard Trust Exchange and Content Library

We’re consolidating our existing tools to answer security questionnaires, respond to requests for documentation and choose what to share in your Shared Profile under one banner: the UpGuard Trust Exchange. Plus, we’re introducing a content library, where you can manage and reuse previously uploaded documents. 

• New: "Trust Exchange" menu item in your navigation
• New: Content library feature to manage and reuse documents uploaded as part of security questionnaires
• Move: "My Shared Profile" moves into Trust Exchange 

Improved visibility into your asset inventory with Detected Products

To extend the visibility into your asset inventory in BreachSight, we’ve added a new section called Detected Products that displays in depth information about the software and other products used on your domains and IPs. 

This information extends what is already available in Vulnerabilities – an inventory of software products with known vulnerabilities– to show products in use that may not yet have CVEs. Having this information allows you to audit for unapproved software and respond more quickly when a new vulnerability is discovered for one of the products you use. 

Added link to registrar's abuse page to typosquatting 

When malicious domains impersonating your brand are detected by the Typosquatting module, the next step is to remediate the risk by contacting the domain registrar and reporting the abuse. You can now go straight to the page of the registrar or other relevant internet authority from Typosquatting to begin the takedown process.

Other improvements

• We have begun the process of rolling out credentials stolen by infostealer malware as an enhancement to Identity Breaches for all customers on the Professional plan and above. 
• We have added detection for CVE-2024-1709 and other vulnerabilities in ConnectWise ScreenConnect.
• To make it quicker to download reports we’ve added the ability for users to  download multiple reports at the same time from the Generated reports page
• This release includes a number of bug fixes.

Learn about new features, changes, and improvements to UpGuard this month.