NIS 2 supplier due diligence questionnaire
We've introduced a new security questionnaire to help assess an organization’s security controls in line with the supplier risk management requirements of the NIS 2 Directive. This questionnaire integrates and expands on the controls from ISO 27001:2022 and NIST CSF 2.0, addressing the alignment with international standards and key components of NIS 2 supplier risk management requirements such as incident response, contractual safeguards, compliance with data protection laws and regulations, and cross-border data flows.
SIG Core and Lite questionnaires updated to 2025 versions
We've updated our SIG Core and SIG Lite questionnaires to the 2025 versions, incorporating the latest review and updates driven by industry standards and regulatory requirements for enhanced risk assessment. You can also now choose which sections of the SIG questionnaires to send, removing unnecessary sections and streamline the vendor’s response.
Other improvements
- We’ve added vulnerability detection for vulnerabilities in Palo Alto PAN-OS and FortiManager to our passive scanners, broadening our scanning capabilities for both Breachsight and Vendor Risk.
- We’ve continued to expand our sources for News and Incidents.
Expanded News and Incident coverage
We’re continuing to enhance our News and Incidents feed to provide broader, more comprehensive insights into breaches and cyber incidents. The feed now pulls from five times as many sources, offering greater visibility into critical, officially disclosed events. This expanded coverage empowers you to stay informed and respond more quickly to emerging risks. Access the enhanced feed directly from your dashboard under News & Incidents, and leverage this improved data to protect your business with greater precision and confidence.
Get notified when an NDA is agreed to
Trust Exchange users can now get notified when an NDA is agreed to on their Trust Page, so you’ll know when a new organization has access. This notification can be configured in the Manage Notifications page.
Other improvements
- We've standardized the design of primary actions across the platform, which now all use our dark blue button for a more cohesive and consistent user experience.
- This release includes a number of bug fixes.
NIST AI Risk Management Framework (AI RMF) security questionnaire
We’ve launched a new questionnaire designed to evaluate an organization's compliance with the NIST AI RMF. This security questionnaire offers a structured framework for effectively assessing the risks associated with AI systems. It covers the core functions of the NIST AI RMF—governing, mapping, measuring, and managing AI systems—ensuring that vendors uphold best practices in AI governance and operational management.
Expanded news and incident coverage
We’ve greatly enhanced our news and incident scanning capabilities, now delivering five times broader coverage to provide faster, high-impact insights. This empowers your security teams and SOC analysts to detect incidents affecting your organization or supply chain sooner, enabling proactive responses to mitigate risks early. With an expanded range of advanced data collectors, including official reports and government databases, we now offer a more comprehensive view of emerging threats to fortify your security posture.
Other improvements
- This release includes small improvements to Trust Exchange, including a new home page for free users, and improvements to notifications.
- We’ve added product and version detection for the Roundcube email client to detect the following vulnerabilities:some text
- CVE-2024-42008 - A cross-site scripting flaw via a malicious email attachment served with a dangerous Content-Type header
- CVE-2024-42009 - A cross-site scripting flaw that arises from post-processing of sanitized HTML content
- CVE-2024-42010 - An information disclosure flaw that stems from insufficient CSS filtering
- This release includes a number of bug fixes.
Enhanced Vendors view and export
We’ve improved the Vendor list view and export to give you deeper insights into your vendor portfolio.
- You can now see exactly when a vendor was added to your portfolio with a new optional column called ‘Date added’. This column can be sorted and filtered, and is included in the Excel export.
- We’ve added an option to include Risk count by severity in the Excel export.
Other improvements
- When uploading or editing documents, we’ve changed the ‘document type’ selection sort order to alphabetical, making it easier to find and select the right document type.
- Several iterative updates for AI Autofill have been released, including an improvement to autofill sources and information messages.
- Trust Exchange’s questionnaire form has seen some improvements, including an aspect ratio bug fix, an improvement to the naming of questionnaires added to Trust Pages, and more.
- This release includes a number of bug fixes.
Invite colleagues to collaborate on security questionnaires
You can now invite colleagues from outside your security team to collaborate on questionnaires, providing business owners with visibility for vendor follow-ups and enabling input from contributors across departments. These users can view questionnaires, receive status updates, participate in reviews, and communicate internally through messages.
To learn more, see How to send security questionnaires in UpGuard Vendor Risk.
APRA CPS 230 questionnaire
We’ve added a new security questionnaire to assess an organization’s adherence to the Australian Prudential Regulation Authority's (APRA) Prudential Standard CPS 230 Operational Risk Management. CPS 230 ensures that APRA-regulated entities effectively manage operational risks to maintain the resilience of critical operations. This questionnaire covers all APRA-regulated entities' requirements, including key principles, risk management framework, roles and responsibilities, operational risk management, business continuity, and service provider arrangements.
Product detection and scanning improvements
We’ve introduced new product detections in BreachSight and vulnerability detection across our platform:
- CUPS product & version detection
- CUPS CVE-2024-47176 vulnerability detection
- GeoServer product & version detection
- Apache OFBiz product detection
Other improvements
- The SIG Lite questionnaire has been updated to make document upload requests conditional
- This release includes a number of bug fixes
Remediate risks faster with built-in guidance
We're making it easier to understand and explain web risks by introducing Risk Remediation Guidance to BreachSight and Vendor Risk. This update offers detailed explanations of each risk, its importance, and how to remediate it, enabling swift action even for non-technical users. With Risk Remediation Guidance, BreachSight users can act more decisively, resolving risks efficiently with clear instructions, while vendors gain deeper insights to better understand and mitigate risks.
Digital Operational Resilience Act (DORA) questionnaire
We’ve introduced a new questionnaire to assess an organization’s adherence to the Digital Operational Resilience Act in the EU. In effect from January 17 2025, DORA addresses gaps in EU financial regulation by requiring financial institutions to manage ICT-related risks and operational resilience alongside traditional capital allocation for risk management.
Introducing Vendor Snapshots
Vendor Snapshots (previously Instant Reports) allow you to view the external risks of an organization for 30 days without adding it to your monitored vendor list. It’s perfect for when you need a point-in-time view of a vendor's security posture, such as when assessing or comparing potential vendors as part of a due diligence process.
Improvements that have been implemented as part of this release:
- Renamed feature to Vendor Snapshot to better reflect the functionality
- Made it easier to convert a Vendor Snapshot to a monitored vendor including retaining a view of expired snapshots
- Ability to include Vendor Snapshots in the vendor comparison tool and report
- Inclusion of Vendor Snapshots in vendors page exports (Excel and PDF)
- Changes to Vendor Snapshot entitlements: Enterprise plans will have unlimited Vendor Snapshots, Professional and Corporate plans will have a set number included, and all Vendor Risk plans will be eligible to purchase additional snapshots
To learn more see What is the difference between a Vendor Snapshot and a Monitored vendor?
Configuration Leak Detection
Our web scanner now detects client-side and server-side configuration leaks, enhancing protection against exposed API keys and configuration files. This update strengthens BreachSight and Vendor Risk by improving proactive risk detection for customers and their vendors.
Other improvements
- Each page now has its own title tag, which makes it easier to differentiate between multiple tabs in your browser
- This release includes a number of bug fixes
Automatically answer questionnaires using a SOC 2 report, information security policy, or any other PDF
Responding to security questionnaires is now easier than ever. You can import PDF documents (such as SOC 2 reports or security policies) in order to automatically populate security questionnaires with accurate suggestions, harnessing UpGuard’s AI to do the heavy lifting. This is available both for security questionnaires sent to you by other UpGuard users, and any external questionnaires you’ve imported into Trust Exchange. Learn more about AI Autofill.
NIST CSF 2.0 questionnaire
We’ve added a NIST CSF 2.0 questionnaire for you to assess an organization's compliance with the standards in the NIST Cybersecurity Framework (CSF) 2.0. This questionnaire comprehensively maps to NIST's six functions, which cover governance, identification, protection, detection, response, and recovery, ensuring that organizations meet the necessary security controls and practices.
Other improvements
- Expanded product detection in BreachSight for Cisco ASA
- This release includes a number of bug fixes
Send security questionnaires to vendors using the API
It's now possible to send and track questionnaires from your existing systems and workflows using the UpGuard API. Leverage the new send questionnaire endpoint to automate the initiation of your vendor assessment process and reduce the need for manual intervention. To learn more, see How to send a security questionnaire via the UpGuard API and refer to our API documentation.
Expanded automatic product detection
We’ve expanded BreachSight’s product detection capabilities to include over 130 additional commonly used products in addition to the tens of thousands we already detect. Among the new products we detect are OpenSSH, Postfix, Kerberos, and many more. Read more about our Detected Products capability.
New vulnerability detection
We’ve added detection for two ServiceNow vulnerabilities, CVE-2024-4879 (CVSS 9.8) and CVE-2024-5217 (CVSS 8.7), both of which are being actively exploited in the wild. With this update, our platform can now effectively detect these high-severity threats.
Other improvements
- This release includes a number of bug fixes
Expanded categorization of attack surface risks
To deliver more accurate and actionable insights into your external risks, we’ve updated how we categorize risks detected on the external attack surface. Existing risk detections have been re-organized and expanded from five categories into ten. The new security domains are Encryption, DNS, Vulnerability Management, Attack Surface, and Data Leakage, which join the existing categories of Website, Email, Network, IP Reputation, and Brand and Reputation. We’ve also updated our scoring algorithm to better measure the level of risk associated with detected findings, and to reflect the risks that make up each category.
Auto-generated commentary for the Board Summary PowerPoint report
We’ve added auto-generated commentary for each visualization in the Board Summary PowerPoint report, so you can generate a powerful presentation with key insights instantly. The commentary is fully editable so you can adjust it to suit your audience and add your own insights. To learn more see How to generate a Board Summary report.
Notification for undelivered questionnaire requests
To help improve tracking and management of your questionnaire requests, we’ve added detection and notification for when a questionnaire request fails to reach the recipient. The notification questionnaire email has failed to send will be switched on by default for all users. The failure event will also appear in your questionnaire timeline.
Increased News & Incidents coverage for the US
We've enhanced our US coverage, capturing a broader and more accurate range of incidents to keep you better informed.
Other improvements
- We’ve added the risk assessment report to the reports API. To learn more about requesting a report via the API see How to request a report via the UpGuard API.
- We’ve increased the character limit of custom vendor attributes to 1,000. To learn more about defining and assigning custom vendor attributes see How to use custom vendor attributes.
- Subscribers of the BreachSight digest will now see the Competitor Analysis included in the monthly email.
- We’ve improved detection of Magento instances.
- This release includes a number of bug fixes.
New SIG 2024 and DPDP Act Questionnaires
SIG Core and SIG Lite 2024
We’ve introduced the Standard Information Gathering (SIG) Core questionnaire to our questionnaire library, and updated the SIG Lite questionnaire to the 2024 version. The SIG questionnaires provide a comprehensive framework for evaluating third-party cybersecurity across multiple domains, including data protection, regulatory compliance, and operational resilience.
Digital Personal Data Protection Act (DPDP), 2023 questionnaire
This release also introduces a questionnaire to evaluate an organization's compliance with India’s Digital Personal Data Protection Act, 2023. The DPDP Act is a legislative framework designed to protect the privacy of individuals' personal data by regulating its collection, processing, and storage by organizations in India.
Learn more about the security questionnaires available in UpGuard’s Library.
Export blank questionnaires
We’ve added an Excel export for blank questionnaires. This is available from the questionnaire summary page, the questionnaire library, and the custom questionnaire builder to help with the review process when building new questionnaires.
Other improvements
- This release includes a number of bug fixes.
New multi-framework security questionnaire
We’ve developed a Multi-Framework Security Questionnaire that comprehensively maps to both ISO 27001:2022 and NIST CSF 2.0, and it is now available to all customers in the questionnaire library. This dual-standard approach offers a holistic view of a third party’s security posture, ensures robust incident response and recovery plans, and demonstrates a commitment to high security standards. We're excited to roll out even more questionnaires covering global and local regulations in coming releases.
Detection of regreSSHion (CVE-2024-6387)
CVE-2024-6387 is a high-severity vulnerability in OpenSSH servers that, if exploited, facilitates Remote Code Execution with full root privileges (CVSS 8.1). This will raise a verified vulnerability and the high severity risk “Vulnerable to CVE-2024-6387 (OpenSSH regreSSHion Remote Code Execution)“.
Detection for polyfill.io inclusions
Recently the polyfill.io domain has taken new ownership. This has presented a new supply chain risk because they host the CDN for the polyfill JavaScript package. This will raise a new informational risk called "Polyfill.io or Polyfill.com Discovered"
Summary page added for Subsidiaries
For BreachSight plans that include subsidiaries, we’ve added a Subsidiary Summary page to allow you to view the security posture of your subsidiaries in more detail, including category breakdowns and geolocation details. To learn more see What is the subsidiary summary page.
Other improvements
- This release includes a number of bug fixes
Customize notifications for critical vendor incidents and news
Being informed of critical vendor incidents and news is crucial. To help you prioritize your notifications, we’ve added the ability to create a new custom notification for incidents and news, with options to apply conditional logic including tiers, labels, portfolios and other attributes. This allows you to tailor your notifications to highlight the ones that matter most to you.
Learn more about custom notifications.
Other improvements
- The Board Summary Report is now more customizable, with an option to show or hide competitor analysis from the overall security rating summary.
- This release includes a number of usability improvements and bug fixes.
Sign up for our newsletter
Free instant security score
How secure is your organization?
- Instant insights you can act on immediately
- Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities