UpGuard Release Notes

You can now invite colleagues from outside your security team to collaborate on questionnaires, providing business owners with visibility for vendor follow-ups and enabling input from contributors across departments. These users can view questionnaires, receive status updates, participate in reviews, and communicate internally through messages.

To learn more, see How to send security questionnaires in UpGuard Vendor Risk.

APRA CPS 230 questionnaire 

We’ve added a new security questionnaire to assess an organization’s adherence to the Australian Prudential Regulation Authority's (APRA) Prudential Standard CPS 230 Operational Risk Management. CPS 230 ensures that APRA-regulated entities effectively manage operational risks to maintain the resilience of critical operations. This questionnaire covers all APRA-regulated entities' requirements, including key principles, risk management framework, roles and responsibilities, operational risk management, business continuity, and service provider arrangements.

Product detection and scanning improvements

We’ve introduced new product detections in BreachSight and vulnerability detection across our platform:

• CUPS product & version detection
• CUPS CVE-2024-47176 vulnerability detection
• GeoServer product & version detection
• Apache OFBiz product detection

Other improvements

• The SIG Lite questionnaire has been updated to make document upload requests conditional
• This release includes a number of bug fixes

We're making it easier to understand and explain web risks by introducing Risk Remediation Guidance to BreachSight and Vendor Risk. This update offers detailed explanations of each risk, its importance, and how to remediate it, enabling swift action even for non-technical users. With Risk Remediation Guidance, BreachSight users can act more decisively, resolving risks efficiently with clear instructions, while vendors gain deeper insights to better understand and mitigate risks.

Digital Operational Resilience Act (DORA) questionnaire

We’ve introduced a new questionnaire to assess an organization’s adherence to the Digital Operational Resilience Act in the EU. In effect from January 17 2025, DORA addresses gaps in EU financial regulation by requiring financial institutions to manage ICT-related risks and operational resilience alongside traditional capital allocation for risk management.

Introducing Vendor Snapshots

Vendor Snapshots (previously Instant Reports) allow you to view the external risks of an organization for 30 days without adding it to your monitored vendor list. It’s perfect for when you need a point-in-time view of a vendor's security posture, such as when assessing or comparing potential vendors as part of a due diligence process.

Improvements that have been implemented as part of this release:

• Renamed feature to Vendor Snapshot to better reflect the functionality
• Made it easier to convert a Vendor Snapshot to a monitored vendor including retaining a view of expired snapshots
• Ability to include Vendor Snapshots in the vendor comparison tool and report
• Inclusion of Vendor Snapshots in vendors page exports (Excel and PDF)
• Changes to Vendor Snapshot entitlements: Enterprise plans will have unlimited Vendor Snapshots, Professional and Corporate plans will have a set number included, and all Vendor Risk plans will be eligible to purchase additional snapshots
  

To learn more see What is the difference between a Vendor Snapshot and a Monitored vendor?

‍Configuration Leak Detection

Our web scanner now detects client-side and server-side configuration leaks, enhancing protection against exposed API keys and configuration files. This update strengthens BreachSight and Vendor Risk by improving proactive risk detection for customers and their vendors.

Other improvements

• Each page now has its own title tag, which makes it easier to differentiate between multiple tabs in your browser
• This release includes a number of bug fixes

Responding to security questionnaires is now easier than ever. You can import PDF documents (such as SOC 2 reports or security policies) in order to automatically populate security questionnaires with accurate suggestions, harnessing UpGuard’s AI to do the heavy lifting. This is available both for security questionnaires sent to you by other UpGuard users, and any external questionnaires you’ve imported into Trust Exchange. Learn more about AI Autofill. 

NIST CSF 2.0 questionnaire

We’ve added a NIST CSF 2.0 questionnaire for you to assess an organization's compliance with the standards in the NIST Cybersecurity Framework (CSF) 2.0. This questionnaire comprehensively maps to NIST's six functions, which cover governance, identification, protection, detection, response, and recovery, ensuring that organizations meet the necessary security controls and practices.

Other improvements

• Expanded product detection in BreachSight for Cisco ASA
• This release includes a number of bug fixes

It's now possible to send and track questionnaires from your existing systems and workflows using the UpGuard API. Leverage the new send questionnaire endpoint to automate the initiation of your vendor assessment process and reduce the need for manual intervention. To learn more, see How to send a security questionnaire via the UpGuard API and refer to our API documentation.

Expanded automatic product detection

We’ve expanded BreachSight’s product detection capabilities to include over 130 additional commonly used products in addition to the tens of thousands we already detect. Among the new products we detect are OpenSSH, Postfix, Kerberos, and many more. Read more about our Detected Products capability.

New vulnerability detection

We’ve added detection for two ServiceNow vulnerabilities, CVE-2024-4879 (CVSS 9.8) and CVE-2024-5217 (CVSS 8.7), both of which are being actively exploited in the wild. With this update, our platform can now effectively detect these high-severity threats.

Other improvements

• This release includes a number of bug fixes

To deliver more accurate and actionable insights into your external risks, we’ve updated how we categorize risks detected on the external attack surface. Existing risk detections have been re-organized and expanded from five categories into ten. The new security domains are Encryption, DNS, Vulnerability Management, Attack Surface, and Data Leakage, which join the existing categories of Website, Email, Network, IP Reputation, and Brand and Reputation. We’ve also updated our scoring algorithm to better measure the level of risk associated with detected findings, and to reflect the risks that make up each category. 

Auto-generated commentary for the Board Summary PowerPoint report

We’ve added auto-generated commentary for each visualization in the Board Summary PowerPoint report, so you can generate a powerful presentation with key insights instantly. The commentary is fully editable so you can adjust it to suit your audience and add your own insights. To learn more see How to generate a Board Summary report.

Notification for undelivered questionnaire requests

To help improve tracking and management of your questionnaire requests, we’ve added detection and notification for when a questionnaire request fails to reach the recipient. The notification questionnaire email has failed to send will be switched on by default for all users. The failure event will also appear in your questionnaire timeline. 

Increased News & Incidents coverage for the US

We've enhanced our US coverage, capturing a broader and more accurate range of incidents to keep you better informed.

Other improvements

• We’ve added the risk assessment report to the reports API. To learn more about requesting a report via the API see How to request a report via the UpGuard API.
• We’ve increased the character limit of custom vendor attributes to 1,000. To learn more about defining and assigning custom vendor attributes see How to use custom vendor attributes.
• Subscribers of the BreachSight digest will now see the Competitor Analysis included in the monthly email.
• We’ve improved detection of Magento instances.
• This release includes a number of bug fixes.

SIG Core and SIG Lite 2024

We’ve introduced the Standard Information Gathering (SIG) Core questionnaire to our questionnaire library, and updated the SIG Lite questionnaire to the 2024 version. The SIG questionnaires provide a comprehensive framework for evaluating third-party cybersecurity across multiple domains, including data protection, regulatory compliance, and operational resilience. 

Digital Personal Data Protection Act (DPDP), 2023 questionnaire 

This release also introduces a questionnaire to evaluate an organization's compliance with India’s Digital Personal Data Protection Act, 2023. The DPDP Act is a legislative framework designed to protect the privacy of individuals' personal data by regulating its collection, processing, and storage by organizations in India.

Learn more about the security questionnaires available in UpGuard’s Library.

Export blank questionnaires 

We’ve added an Excel export for blank questionnaires. This is available from the questionnaire summary page, the questionnaire library, and the custom questionnaire builder to help with the review process when building new questionnaires.

Other improvements

• This release includes a number of bug fixes.

We’ve developed a Multi-Framework Security Questionnaire that comprehensively maps to both ISO 27001:2022 and NIST CSF 2.0, and it is now available to all customers in the questionnaire library. This dual-standard approach offers a holistic view of a third party’s security posture, ensures robust incident response and recovery plans, and demonstrates a commitment to high security standards. We're excited to roll out even more questionnaires covering global and local regulations in coming releases.

Detection of regreSSHion (CVE-2024-6387)

CVE-2024-6387 is a high-severity vulnerability in OpenSSH servers that, if exploited, facilitates Remote Code Execution with full root privileges (CVSS 8.1). This will raise a verified vulnerability and the high severity risk “Vulnerable to CVE-2024-6387 (OpenSSH regreSSHion Remote Code Execution)“.

Detection for polyfill.io inclusions 

Recently the polyfill.io domain has taken new ownership. This has presented a new supply chain risk because they host the CDN for the polyfill JavaScript package. This will raise a new informational risk called "Polyfill.io or Polyfill.com Discovered"

Summary page added for Subsidiaries

For BreachSight plans that include subsidiaries, we’ve added a Subsidiary Summary page to allow you to view the security posture of your subsidiaries in more detail, including category breakdowns and geolocation details. To learn more see What is the subsidiary summary page.

Other improvements

• This release includes a number of bug fixes

Being informed of critical vendor incidents and news is crucial. To help you prioritize your notifications, we’ve added the ability to create a new custom notification for incidents and news, with options to apply conditional logic including tiers, labels, portfolios and other attributes. This allows you to tailor your notifications to highlight the ones that matter most to you.

Learn more about custom notifications.

Other improvements

• The Board Summary Report is now more customizable, with an option to show or hide competitor analysis from the overall security rating summary.
• This release includes a number of usability improvements and bug fixes.

Configure vulnerability notifications by CVSS severity

Effective vulnerability management hinges on prioritization. Responding swiftly to critical vulnerabilities is as crucial as efficiently scheduling patches for lower-severity issues. The thresholds for these actions depend on each organization's risk tolerance.

Our new custom notification feature for vulnerabilities helps you achieve these goals. Now, you can set notifications for newly detected vulnerabilities that meet or exceed a specified CVSS threshold. You can further customize these notifications with conditional logic based on label, vendor portfolio, or vendor tier.

Learn more about creating notifications for risks or vulnerabilities by severity.

Add manual risks to questionnaires

To help you capture additional risks identified through the questionnaire review process we’ve added the ability to add manual risks to a questionnaire.

Learn how and when to use manual risks in a questionnaire.

Allow users outside of UpGuard to request relationship questionnaires

Relationship questionnaires allow you to collect information about your organization's engagement with a vendor to help inform the appropriate level of assessment. With this enhancement, you can initiate a request for a relationship questionnaire via an API call. This allows non-users, such as business owners, to request relationship questionnaires from outside of the platform, streamlining procurement and vendor assessment processes.

Learn more about using the vendor relationship questionnaire and refer to our API documentation.

Other improvements

• This release also includes several minor improvements and bug fixes

Identity breaches now include a new attribute that indicates the source of the data, specifying whether it originated from a company's breach, a paste document, or an Infostealer malware infection. Additionally, breaches can be filtered by type, providing a focused view of how your users have been exposed through third-party breaches or malware.

Note: the Infostealer data feed is included for customers on the Professional plan, and can be added on for Starter and Basic plans.

Other improvements

• The Shared Profile has been renamed to Trust Page in the navigation and other areas. A Trust Page allows you to instantly share your security documentation with your customers.
• We’ve incorporated a new detection for CVE-2024-24919, a high-severity information disclosure vulnerability affecting Check Point Security Gateway devices, now recognized as a CISA Known Exploited Vulnerability.
• This release includes a number of bug fixes.

A new setting now allows you to control who in your business is a nominated approver of risk waivers in both BreachSight and Vendor Risk, and risk adjustments in Vendor Risk. You can:

• Mandate approval for risk waivers and risk adjustments
• Nominate specific users who can approve risk waivers and adjustments

You can configure these approval settings for BreachSight and Vendor Risk in the Settings page.

Other improvements

• Webhooks have been enhanced with the addition of a Questionnaire ID field.
• The Vendor Risk executive summary page now includes tiering information in the highest and lowest scored vendors tables.
• Vendor tier and vendor score are now available in the Vendor Risk portfolio risk profile and risk export.
• We’ve made the Vendors page Excel export more customizable by adding the option to only include fields that you have selected to display.
• We’ve added more detail to manually reduced risks in risk assessments and vendor reports including justification.
• This release includes a number of bug fixes.

Scale up your third-party risk management program and clear your backlog with our refreshed workflow for Managed Vendor Assessments. Engage our analyst team for expert assessment of your critical suppliers. Key features include:

• Faster turnaround: we analyze audit reports and security documentation to reduce dependency on vendors responding to lengthy questionnaires.
• Aligned to industry standards: our assessment encompasses controls for key security frameworks including ISO 27001:2022 and NIST Cybersecurity Framework (CSF) 2.0.
• Easy to understand report: clearly communicate risk to your stakeholders with the redesigned report featuring all risks, findings and recommendations mapped to key security domains and control groups.

Read more about Managed Vendor Assessments, or contact your UpGuard account representative to see a sample assessment.

Newly registered domains monitoring for Typosquatting

We’ve improved how we detect typosquatting by monitoring newly registered domains for more possible permutations of your domain name. This improvement will identify more potentially malicious domains, faster.

Improved filtering and risk visibility in questionnaire viewer

We’ve made some changes to the questionnaire viewer to help you and your vendors focus on areas that need attention:

• We’ve added a filter to the questionnaire detail view so you can easily navigate to raised risks, unanswered questions and autofilled responses.
• We’ve added a risk table to the questionnaire summary to help recipients identify and address risks.

Other improvements

• This release includes a number of bug fixes.

‍