UpGuard Release Notes

Learn about new features, changes, and improvements to UpGuard.
July 2021
Support for subsidiaries in your vendor's Risk Profile

Support for subsidiaries in your vendor's Risk Profile

Abi Tyas Tunggal
Abi Tyas Tunggal
July 21, 2021

We've added support for viewing a vendor and its subsidiaries in its Risk Profile.

This view lets you see all the risks present across the vendor and its subsidiaries. Each of the identified risks has a severity, name, risk type, category, and a number of organizations impacted. By default, findings are sorted by severity, with critical severity items at the top.

You can drill down into each identified risk to see the impacted organizations and their associated domains. However, you will need to be monitoring the subsidiary as a vendor to request remediation or to waive the risk. You can do this by clicking Monitor vendor.

Additional SSL-based checks

We've added support for three new SSL-based checks:

  1. Untrusted SSL certificate (informational severity): The certificate presented by this domain was not issued by a trusted certificate authority and therefore cannot be verified by browsers.
  2. SSL certificate chain missing from server response (medium severity): There is an invalid or missing intermediate certificate. This can cause some browsers to break the padlock. An intermediate/chain certificate may need to be installed to link it to a trusted root certificate.
  3. SSL expiration period longer than 398 days (medium severity): Certificates issued on or after September 1, 2020 must not have a validity period greater than 398 days. The certificate will need to be reissued with a maximum validity of 397 days.

Other fixes and improvements

  • Creating vendors with no web presence is now available for all customers with vendors
  • Added notification for news articles in Incidents & News
  • Increased upload limit from 10MB to 50MB
  • Added highlight for news articles tagged as Advisory in Incidents & News
  • Improved handling of WAFs and CAPTCHA for our automated scanning engine
  • Fixed issue causing inactive subdomains to not be scanned in some situations
Vendor Shared Profiles

Vendor Shared Profiles

Abi Tyas Tunggal
Abi Tyas Tunggal
July 7, 2021

Now when you send a vendor a questionnaire through UpGuard, they'll be prompted to create a free Shared Profile that lets them proactively share their security rating, completed questionnaires, and other security documentation.

If a vendor chooses to create one, it will drastically cut down the time it takes for you and other UpGuard customers to assess them in the future. It also benefits the vendor as they'll spend less time filling out the same questionnaire while ensuring their customers have an accurate and up-to-date view of their security posture.

Vendors will be able to publish the following information on their Shared Profile:

  • Security ratings: Toggle the inclusion of their own and their industry average security rating. Learn more about security ratings here.
  • Security contact: Share contact information for the team or key employee who is responsible for security.
  • Company description: Help users quickly understand what the vendor does.
  • Security questionnaires: Proactively share complete security questionnaires to reduce time spent on answering similiar assessments.
  • Supporting documentation: Share security-related documentation or compliance certifications such as PCI DSS, SOC 2, ISO 27001, FedRAMP, etc.

Learn more about Vendor Shared Profiles.

Create vendor with no web presence

Create vendor with no web presence

Abi Tyas Tunggal
Abi Tyas Tunggal
July 6, 2021

You can now add and assess vendors with no web presence. Prior to this release, vendors needed a website to be added to UpGuard. Now you can add any vendor you like, even if they don't have a website.

This is great for situations where you need to assess an independent contractor who doesn't have a web presence but will handle your organization's sensitive information. Once you've added them as a vendor with no web presence, you'll be able to send them a questionnaire and assess them based on their responses. You'll also be able to add contacts, upload additional evidence, and perform a risk assessment inside UpGuard.

This feature is currently in closed beta. If you would like to beta test the feature, please contact us.

Learn how to create a vendor with no web presence.

Improvements to the questionnaire process for customers

In May, we rolled out an improved questionnaire experience for vendors that was designed to reduce the time it takes for you to get a complete and accurate questionnaire.

In this release, we're taking what we've learned from that process and applying it to the customer-facing experience. The new page replaces, improves, and streamlines our previous questionnaire details page.

You can now quickly see the progress of the questionnaire, view unanswered questions, and view any associated remediation requests you have created. Messages now appear in the top-right corner of your screen which makes it simple to respond to any vendor queries.

The page has been split into three separate tabs:

  1. Overview: Questionnaire metadata, progress, remediation requests, and unanswered questions.
  2. Documents: Any attached documents
  3. Timeline: The version history and timeline of the questionnaire

Other fixes and improvements

  • Any users that are invited to a questionnaire or remediation request will now appear in the timeline
  • Added support for retrieving all risks for an organization via the API
  • Added support for IP addresses in the risks diff API
  • Fixed issue causing domains parked at Gandi to be marked as active rather than inactive
  • Added questionnaire designed to determine exposure to the recent supply chain ransomware attack that impacted Kaseya VSA
  • Fixed issue causing questionnaire reminders to not be sent if one or more emails associated with the reminder bounced
  • Added modal to inform you when you've hit your vendor limit
  • Fixed issue causing security ratings and labels to not appear in domain view from a risk assessment
June 2021
What's new in UpGuard | June 2021

What's new in UpGuard | June 2021

Abi Tyas Tunggal
Abi Tyas Tunggal
June 30, 2021

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    You’re now able to generate a risk report for your own organization, generating a great tool to use with non-technical audiences to drive decision-making, and speed up remediation.
  • Check icon
    The new and improved BreachSight Executive Summary has been crafted to make it as easy as possible for you to communicate your organization’s security posture to different stakeholders.
  • Check icon
    We’ve improved and simplified the management of your shared profile, letting you proactively share security-related information with the companies that need to assess you.
  • Check icon
  • Check icon
Shared Profile enhancements

Shared Profile enhancements

Abi Tyas Tunggal
Abi Tyas Tunggal
June 22, 2021

We've significantly improved and simplified the management of your Shared Profile.

For background, a Shared Profile lets you proactively share security-related information with companies that need to assess you. This typically includes completed security questionnaires and compliance certifications like PCI DSS, SOC 2, ISO 27001, or FedRAMP.

By completing your Shared Profile, you'll build trust with your business partners and show that your organization is taking cybersecurity seriously. You'll also spend less time filling in manual assessments while ensuring customers have an accurate and current view of your security posture.

When you go to manage your Shared Profile, you'll now see a checklist of what you need to do to complete it. As you fill out more of your profile, we'll automatically check off the associated line item in the checklist. This makes it easy to see what you have added and what you may be missing.

As part of these improvements, we've also improved the design of your Shared Profile, added support for adding a security contact and company description, and added the ability to toggle the inclusion of your security rating.

Learn how to publish your shared profile.

Remediation workflow enhancements

We're making it even easier to create and manage remediation requests. Creating an internal remediation request is now just two steps down from four. Likewise, vendor remediation requests are now a maximum of four steps down from six. Each request will take you less time to create freeing you up to focus on other activities.

After creating a request, you'll also notice that we've significantly improved the information hierarchy of the remediation request details page. The page has been split into two tabs:

  • Overview: Metadata about the request, detailed insights into the progress of the request, and the risks and assets that are under remediation
  • Timeline: The important events that have happened in the request

Messages now appear in the top right corner of your screen which makes it easy to respond to any queries recipients may have.

Learn how to send an internal remediation request or a vendor remediation request.

Other fixes and improvements

  • You can now export all your audit log events or export the last 30, 60, 90, 120, or 365 days
  • Added support for pulling your own, your vendors', and your subsidiaries' domains, IPs, and IP ranges, as well as associated information like the asset's security rating via the API
  • Domains, IP addresses, IP ranges, and vendors can now be labelled via the API
  • Improved design of login, signup, and password reset screens.
Risk Report

Risk Report

Abi Tyas Tunggal
Abi Tyas Tunggal
June 8, 2021

Our Vendor Risk Reports are one of our most used features. In fact, many of you have gone as far as to monitor yourself as a vendor so you can get access to a similar report on yourself!

The good news is you no longer need to do this. You can now generate a Risk Report that outlines the security posture of your organization. This report can be configured to include automated scanning results, competitor analysis, geolocation data, and underlying risk details.

It provides context about identified risks, remediation recommendations, and information about how each risk category contributes to your overall security rating.

Like our Vendor Risk Report, the language in the Risk Report is simple, easy to understand, and suitable for non-technical audiences which makes it a great tool to drive decision-making, speed up remediation, and highlight areas that could use additional resources.

Learn how to generate a risk report.

Improvements to BreachSight Executive Summary

The improved BreachSight Executive Summary is designed to make it even easier for you to communicate your security posture to stakeholders. The page and associated PDF export now outline the average security rating for your industry and provide a description and weighting for each risk category. This makes it simple for new users and internal stakeholders to understand what UpGuard measures, how you're tracking against your industry, and your strengths and weaknesses.

To see a breakdown of how each category contributes to your security rating, click How does each risk category attribute to this score? in the BreachSight overview section or click on the weighting in any of the risk categories.

We've also invested in improving the add competitors modal in the Competitor Analysis. The new design makes it easy to find and add competitors, just type in the name or URL then click Add competitor.

Learn more about the BreachSight Executive Summary and how to add a competitor.

Other fixes and improvements

  • Added support for pulling Typosquatting information via the API
  • Added Last Assessed to PDF export of Vendors
  • Added letter grade to XLS export of Vendors
  • Fixed issue causing Status and Risks detected columns to not match across the app and PDF export of Questionnaires
  • Improved error and alert feedback design
  • Email addresses that hard bounce are now automatically ignored in Identity Breaches
May 2021
What's new in UpGuard | May 2021

What's new in UpGuard | May 2021

Abi Tyas Tunggal
Abi Tyas Tunggal
May 31, 2021

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    The new Incidents & News feed provides you with a searchable, chronological list of security updates that matter to you.
  • Check icon
    You now have the ability to create and manage custom roles, making it simple to assign team members the correct permissions within the UpGuard platform.
  • Check icon
  • Check icon
  • Check icon
Incidents & News feed

Incidents & News feed

Abi Tyas Tunggal
Abi Tyas Tunggal
May 26, 2021

Current UpGuard customers rely on Identity Breaches to identify and notify employees who have had their credentials exposed in a third-party data breach. But not every breach impacts your organization nor do we have access to the details of every breach. 

Prior to this release, these breaches that fall under this definition weren’t visible inside UpGuard nor were other important security-related events such as ransomware attacks or M&A activity. Even if these incidents don’t impact your organization, they provide important context that can feed into your risk assessment on a vendor. 

Incidents & News is designed to provide you with a searchable, chronological feed of publicly disclosed data breaches and other security-related information such as cyber attacks, ransomware, malware, acquisitions, spin-offs, mergers, and more. 

The feed is broken down into individual items that have a date, severity, type, impacted company, summary, and where applicable other related companies. At the top of Incidents & News, you’ll see three tabs that filter down results:

  1. Incidents: Think data breaches, cyber attacks, ransomware, malware, etc.
  2. News: Mergers, acquisitions, spin-offs, and other security-related news. 
  3. You and your vendors: Incidents and news related to you or your vendors. 

By default, results that are shown are limited to the last twelve months but you can adjust this timeframe as you like.

Incidents & News is currently in closed beta and will be rolled out to all customers soon. 

Learn more about Incidents & News here.

Improved questionnaire process for vendors

We’re rolling out an improved questionnaire experience for vendors to reduce the time it takes for you to get a complete and accurate questionnaire. The new page replaces, improves, and streamlines our previous questionnaire details page which vendors told us was confusing. 

Vendors can now quickly start answering the questionnaire, track their progress, discover unanswered questionnaires, and see any associated remediation requests. Messages sent to vendors will now appear in the top right corner of their screen which makes it simple to respond to your queries. 

The page has been split into three separate tabs: 

  1. Overview: Questionnaire metadata, progress, remediation requests, and unanswered questions.
  2. Documents: Any attached documents 
  3. Timeline: The version history and timeline of the questionnaire

Learn more about UpGuard makes it easy for vendors answer questionnaires.

Better remediation reporting

Managing and reporting on your remediation activity gets harder as you scale. That’s why we’re excited to be improving the reporting functionality for Remediation Requests

Remediation request tables now show the total number of active requests as well as a breakdown of the number of requests at each stage (in progress, awaiting review, completed, archived). 

This makes it simple to keep track of your overall progress and to dive deeper into the requests that need your attention.  We’ve also added support for exporting remediation requests to PDF or Excel, making it easy to share progress to internal stakeholders, auditors, and regulators. 

Learn how to export your internal or vendor remediation activity here.

Other fixes and improvements

  • Added Date Published field to Identity Breaches API
  • Added Last Assessed field to Vendors API
  • Improved Typosquatting results by adding support for commonly used prefixes and suffixes
  • Improved performance of Domains in tree view
  • There is now a task for when a questionnaire needs to be resent
Role-based access control and granular user permissions

Role-based access control and granular user permissions

Abi Tyas Tunggal
Abi Tyas Tunggal
May 12, 2021

You likely already restrict access to a portion of your UpGuard account to specific users. For example, not every user on your account should have administrative access. But what we’ve heard from you is that as you onboard more users, it gets harder and harder to manage, keep track of, and update the permissions of each user. 

That’s why we’re introducing role-based access control. Administrators can now create and manage custom roles, making it easy to ensure each teammate has the right permissions and that your organization is following the principle of least privilege. You can learn more about RBAC and the principle of least privilege on our blog

Managing roles is as simple as creating a role, configuring your desired permissions, and assigning it to users. If you need to update a role later, any changes will cascade down to the assigned users too. 

We also heard that you wanted more granular permissions. That’s why you can now decide whether a user has access to BreachSight, Vendor Risk, or CyberResearch. This is great for situations where one team manages your attack surface and another separate team manages your vendors. 

In addition to these improvements, you can now decide whether a user has read-only or full access to BreachSight’s or Vendor Risk’s core features, as well as whether a user has access to Identity Breaches and Typosquatting. 

Role-based access control is currently in closed beta and only available for certain plans. Please reach out to us if you would like to learn more. 

Learn how to create and manage roles.

Label vendor and subsidiary domains, IP addresses, and IP ranges plus support for labelling in tree-view

Another frequent bit of feedback we receive is that you want to be able to label your vendor’s or your subsidiary’s domains, IP addresses, and IP ranges so you can drill down into the specific assets that mean something to you. Now you can. 

Next time you’re on a vendor’s or subsidiary’s Domains or IP Addresses page, you’ll see an Add label on the far right of the table. Clicking Add label will allow you to add an existing or create a new label. For context, labels in UpGuard are broken down into vendor and assets labels. This means that domain and IP address labels are shared across BreachSight and Vendor Risk. 

As part of these improvements, we’ve refreshed the design of the labels modal, moved the management of labels to Settings under the Labels tab, and added support for labelling domains in tree view across BreachSight and Vendor Risk. 

These improvements make it easier than ever to track your and your vendors’ assets and to keep your team’s labels under control. 

Learn how to label your vendor domains, IP addresses, and IP ranges and your subsidiary’s domains, IP addresses and IP ranges as well as how to manage your labels

Trigger webhook calls from audit log events

Administrators can now push Audit Log events into other platforms using our Integrations feature. For background, Integrations uses webhooks to notify your other applications when an event happens in your account. Examples of these events include when an identity breach or data leak is detected, the score of a watched vendor drops below a threshold, and now any Audit Log event of your choosing.

Learn how to integrate UpGuard with other services.

Other fixes and improvements

  • Added an exception for Kubernetes clusters that sit behind AWS Elastic Load Balancing. This means that scores won’t change unexpectedly when Kubernetes stops and starts.
  • Fixed bug causing Excel report generation to break for large exports
  • Vulnerabilities that have been waived will no longer produce notifications
  • Improved design of domain side panel to indicate when a risk is coming from www or the root domain
April 2021
What's new in UpGuard | April 2021

What's new in UpGuard | April 2021

Abi Tyas Tunggal
Abi Tyas Tunggal
April 30, 2021

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    We’ve introduced a convenient new Home screen to replace the notifications page.
  • Check icon
    You can now share completed risk assessments and additional evidence with your related organisations who also have an UpGuard account.
  • Check icon
    You now have the ability to discover and drill down into the geographies that you and your vendors are operating in.
  • Check icon
  • Check icon
Geolocation Risk

Geolocation Risk

Abi Tyas Tunggal
Abi Tyas Tunggal
April 29, 2021

Geolocation Risk lets you discover and drill down into the geographies that your infrastructure and your vendors’ infrastructure is operating in. It’s similar to Fourth Parties but focused on geographies instead of fourth-parties. 

Monitoring Geolocation Risk is a great way to understand whether data is being hosted in different countries and what data and privacy laws may be in place to protect it.

It’s also a great way to keep track of what countries your data may be stored in. This is particularly important for organizations in regulated industries like financial services or healthcare who may have regulatory requirements that dictate what countries data can be stored in. 

Geolocation Risk information is available in the BreachSight Executive Summary, Vendor Risk Executive Summary, Vendor Summary, and the Vendor Risk Report.

Geolocation Risk is currently in beta, if you would like us to enable it on your account please contact us.

Other fixes and improvements

  • Changed names of Concentration Risk and Supply Chain to Fourth Parties to improve consistency across the product and to better reflect what the feature does
  • Improved the subject line of invitation emails making it even easier for new users to get started
  • Removed the register a domain button from Typosquatting 
  • Owned IP ranges with no active IP addresses are now shown in your or your vendors’ IP Addresses
  • IP addresses that are part of an owned IP range and are discovered through a DNS record will now be labelled as Owned and DNS rather than only one
Home

Home

Abi Tyas Tunggal
Abi Tyas Tunggal
April 16, 2021

Keeping on top of what has happened in your UpGuard account is one of the most important things you can do to improve your security posture. That’s why we’ve created Home. Home is a replacement for the existing Notifications screen. It highlights new events and actions that have occurred since you last logged in. 

Events can include score changes for your websites or your vendors, typosquatting updates, vulnerability notifications, and more. For UpGuard administrators, it can also include audit log events. 

Home is split into two tabs, All activity and My tasks

All activity is broken down into cards, with each card linking directly to the relevant section in the app, making it even easier to dive deeper into the events that matter most to you. Each card also has a list of breadcrumbs to help you passively learn the structure of the platform over time. 

My tasks gives you an up-to-date list of the actions you need to take next inside UpGuard. This can include things like approving risk waivers, replying to messages, reviewing submitted security questionnaires, and actioning remediation requests. Tasks will stay active until you complete or dismiss them. 

Home is currently in beta, if you would like us to enable it on your account please contact support@upguard.com 

Learn how to manage your Home screen

Improved support for CyberResearch tiers

Customers who have purchased more than one tier of our third-party risk management services can now pick which service level they want the vendor assessed to. We’ve also added support for defining the importance of the vendor to your organization. 

As part of this work, we’ve also improved the granularity for the statuses shown in Managed Vendors to make it even easier to see where your request is up to. This means that rather than seeing that a request is in progress, you’ll be able to where in the process your request is up to such as gathering evidence, performing risk assessment, remediating risks, etc. 

If you are an existing customer who wants to learn more about our third-party risk management services, please contact support@upguard.com 

Learn more about Managed Vendors here

Securely share vendor assets with related entities

Gathering evidence and performing risk assessments are time-intensive and expensive for you and your vendors. That’s why we’re introducing a way to securely share your completed security questionnaires, additional evidence, and risk assessments with those related entities who also have an UpGuard account. 

If your organization is part of a multi-org account, you and your related entities can now proactively share vendor assets. Sharing assets is a great way to eliminate the email back and forth that is usually associated with onboarding a new vendor, allowing your organization to assess more vendors in less time by leveraging the work done by related entities. 

To understand how Shared Assets works, let’s go through an example. 

Imagine you need to assess a potential vendor for your marketing team. You log into UpGuard, monitor the vendor, and click on Shared Assets. You see that a related entity has shared a completed questionnaire and a risk assessment. 

Rather than doing your own assessment, you request access to your related entity’s assets, read through them, and determine the vendor is not adequately secure. You respond to your marketing team’s query, outlining why the potential vendor is not a good fit based on your related entity’s assessment. 

And just as you can control access to your Shared Profile, you can control who has access to your Shared Assets. Related entities won’t get access to your assets unless you provide to them. 

Learn how to use Shared Assets here

Other fixes and improvements

  • Removed the use of no-reply from our transactional email addresses which should improve deliverability of our emails
  • Improved design of the vendor summary to display all available assets
  • Third-party risk management services customers can now create, edit, and publish their own risk assessment
  • Improved the performance of the changes view for you and your vendors
March 2021
Speed is a feature

Speed is a feature

Abi Tyas Tunggal
Abi Tyas Tunggal
March 31, 2021

We’ve made significant performance improvements to key pages like the Risk Profile and Vendor Summary. When you next visit one of these pages you’ll notice they load significantly quicker, particularly for large vendors with thousands of domains. 

This means less time spent waiting for things to load and more time diving into the details that matter to you. 

Other fixes and improvements 

  • Added support for document storage in India
What's new in UpGuard | March 2021

What's new in UpGuard | March 2021

Abi Tyas Tunggal
Abi Tyas Tunggal
March 31, 2021

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    You can now build your own custom security questionnaires, right inside the UpGuard platform.
  • Check icon
    We’ve also introduced a new option to schedule recurring reports on a weekly, monthly, quarterly, or yearly cadence.
  • Check icon
    ‘You now have the ability to export inactive domains owned by you or your vendors. We've refreshed the design of the "Domains" pdf export to support this.
  • Check icon
  • Check icon
Export inactive domains

Export inactive domains

Abi Tyas Tunggal
Abi Tyas Tunggal
March 16, 2021

You can now export your own and your vendors’ inactive domains. To support this new feature, we’ve refreshed the design of the Domains PDF exports. The new design makes it super simple to see which domains are active and which are inactive, as well as when domains were last scanned. 

If you have any feedback on this or any other feature, don’t hesitate to reach out to us.

Learn how to export your domains or a vendor’s domains.

Export audit log

We’re giving you more control over where you can use audit log data by allowing UpGuard administrators to export to Excel. This makes it simple to ingest events into other platforms or to track employee usage of the UpGuard platform. 

Learn how to export your audit log

Other fixes and improvements

  • Fixed issue where vendors were still being scored when they had no active domains
  • Fixed issue causing vendors to have a questionnaire score when they had no completed questionnaires
  • Added optional expiration date for additional evidence
  • Added a verified vulnerability check for the new Microsoft Exchange vulnerability (CVE-2021-26855)
  • Added pagination on questionnaire page
Build your own security questionnaires

Build your own security questionnaires

Abi Tyas Tunggal
Abi Tyas Tunggal
March 4, 2021

You can now build your own security questionnaires inside the UpGuard platform. Start from scratch, or use one of our growing library of questionnaires as a starting point and adjust it to cater for your specific needs.

Creating a custom questionnaire is easy. We provide you with a range of question types designed to cater for different circumstances. Think single, multi-select and text-based answers, as well as file uploads to capture additional evidence and sections to group related questions together. 

Like our in-built questionnaires, custom questionnaires can be configured to automatically identify risks based on one or more answers to a set of questions. When a risk is identified, you can also choose whether or not to ask respondents for compensating control information.

In addition to automatic risk identification, our custom questionnaire builder has powerful conditional logic which lets you ask the right questions and skip the rest. Asking only what is required means more thoughtful responses and higher completion rates. 

All in all, your custom questionnaires can be as powerful as you want them to be.

While we iron out the last kinks, this is a beta feature. You can get it enabled by reaching out to our support team. If you have any feedback on this or any other feature, don’t hesitate to reach out to us.

Learn how to use our questionnaire builder.

Recurring reports

We have added the option to schedule recurring reports.

Exporting data in UpGuard has so far required you to log in, navigate to the desired page, and then click the export button each time you want fresh data. This can become frustrating if you want to export the same data on a recurring schedule or if you need to share the data with stakeholders who don’t use the UpGuard platform.

This is why we built a new way to export reports that makes it super simple and fast to create recurring reports on a weekly, monthly, quarterly, or yearly cadence. The new export modal also lets you add any email address, so you can easily share recurring reports with colleagues or stakeholders who aren’t UpGuard users.

Recurring reports is currently a beta feature. If you would like to be a beta tester, please reach out to our support team.

Learn more about recurring reports.

Other fixes and improvements

  • You can now remove the original recipient and change the sender when resending questionnaires
  • Added support for multiple recipients when creating a questionnaire or remediation request
  • Fixed issue where /vendors and /vendor endpoints were returning different scores
  • Fixed issue where vendors using Amazon CloudFront would be penalized
  • Fixed issue causing an open port 7654 on Azure Apps environments to be raised as a risk
  • Domains parked at NetRegistry will now be classified as inactive
  • Fixed issue where custom domains were not shown when they failed their first scan
  • Vulnerability notifications now lead to a filtered version of the vulnerabilities page that is specific to the notification
  • Fixed issue causing vendors with no active domains to not load
February 2021
What's new in UpGuard | February 2021

What's new in UpGuard | February 2021

Abi Tyas Tunggal
Abi Tyas Tunggal
February 28, 2021

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    You’re now able to export your list of monitored typosquatting domains, as well as any registered, unregistered, and ignored permutations of a specific domain.
  • Check icon
    We’ve also introduced filters for typosquatting. When you export, you can apply any active filters.
  • Check icon
    ‘Vendor Risk Waivers’ is a small but meaningful improvement that lets you waive vendor risks that have been identified through automated scanning, questionnaires, and additional evidence.
  • Check icon
  • Check icon
Export typosquatting

Export typosquatting

Abi Tyas Tunggal
Abi Tyas Tunggal
February 23, 2021

You can now export your list of monitored typosquatting domains, as well as the registered, unregistered, and ignored permutations of a specific domain to PDF or Excel. 

Once exported, you can use the permutations in workflows outside the UpGuard platform. This may include adding registered permutations to a default block list for your email gateway, handing them over to your legal team to do takedown outreach, or feeding them into a separate platform. 

In addition to these improvements, we’re also introducing filtering for typosquatting. You can filter down the number of typosquatting permutations by selecting a specific type. For example, you may want to identify all the possible typosquatting permutations that are homoglyph substitutions. And when you go to export, you’ll have the option to apply any active filters.

Learn how to export from typosquatting or filter typosquatting permutations results.

Other fixes and improvements

  • You can now retrieve files uploaded to a vendor’s documents, questionnaires, or additional evidence via our API
  • Active vendor risk waivers now appear in the Vendor Report as well as Risk Profile, Risk Assessment, and Portfolio Risk Profile exports
  • Compensating control information for questionnaire risks is now visible on the questionnaire details page
  • Waiving a risk from specific questionnaire now only selects the risk from the corresponding questionnaire
  • Fixed bug where compensating control information was being displayed for all questionnaire rather than only the questionnaires that the risk was waived from
  • Fixed issue where Vendor Summary prompted Third-Party Risk Management Services customers to create or edit a questionnaire when one didn’t exist or was in draft
  • Standardized time format in UpGuard API to 6 decimal places
  • Improved text in vendor risk report to support situations where details are not exported
  • Fixed issue where inactive domains were not showing if there were no associated scanning results
  • Fixed issue where parent domain wasn’t showing in tree view when all subdomains were inactive
Waive vendor risks

Waive vendor risks

Abi Tyas Tunggal
Abi Tyas Tunggal
February 8, 2021

We’ve made a small but meaningful improvement to how you manage vendor risks inside UpGuard. Vendor Risk Waivers lets you waive vendor risks identified through automated scanning, questionnaires, and additional evidence.  

This feature is particularly useful for risks identified through questionnaires. For those that are not aware, when you send a questionnaire through the UpGuard platform we automatically identify risks based on the answers provided by your vendor and ask for compensating control information. 

In the past, you couldn’t use this compensating control information to waive the risk even if you were happy with the information provided. Now you can waive risks and remove them from the vendor’s risk profile if the vendor has adequate compensating controls. 

Vendor Risk Waivers is currently in closed beta. If you would like access, please contact UpGuard support.

Learn how to waive a vendor risk.

Detect vendor data leaks

We’re introducing a new managed service called Vendor Data Leaks. As you may be aware, our team of analysts and proprietary data leak detection engine give us an unparalleled ability to find leaked credentials and exposed data before it gets into the wrong hands. 

Vendor Data Leaks extends these capabilities by monitoring for data leaks at your vendors so you know if they’ve exposed data before it impacts your organization. When our data leak detection engine finds an exposure at your vendor, our analysts review the data, assign a severity, and speak to you to get an appropriate vendor contact. 

Once we have a contact, we’ll work directly with the vendor to remediate the issue and notify you when the exposure has been resolved. 

Vendor Data Leaks is currently in closed beta. If you would like more information, please contact UpGuard support

Learn more about vendor data leaks

Other fixes and improvements

  • You can now use the category filter on the risk profile in exports
  • Improved design of export modal
January 2021
What's new in UpGuard | February 2021

What's new in UpGuard | February 2021

Abi Tyas Tunggal
Abi Tyas Tunggal
February 28, 2021

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    You’re now able to export your list of monitored typosquatting domains, as well as any registered, unregistered, and ignored permutations of a specific domain.
  • Check icon
    We’ve also introduced filters for typosquatting. When you export, you can apply any active filters.
  • Check icon
    ‘Vendor Risk Waivers’ is a small but meaningful improvement that lets you waive vendor risks that have been identified through automated scanning, questionnaires, and additional evidence.
  • Check icon
  • Check icon
Export typosquatting

Export typosquatting

Abi Tyas Tunggal
Abi Tyas Tunggal
February 23, 2021

You can now export your list of monitored typosquatting domains, as well as the registered, unregistered, and ignored permutations of a specific domain to PDF or Excel. 

Once exported, you can use the permutations in workflows outside the UpGuard platform. This may include adding registered permutations to a default block list for your email gateway, handing them over to your legal team to do takedown outreach, or feeding them into a separate platform. 

In addition to these improvements, we’re also introducing filtering for typosquatting. You can filter down the number of typosquatting permutations by selecting a specific type. For example, you may want to identify all the possible typosquatting permutations that are homoglyph substitutions. And when you go to export, you’ll have the option to apply any active filters.

Learn how to export from typosquatting or filter typosquatting permutations results.

Other fixes and improvements

  • You can now retrieve files uploaded to a vendor’s documents, questionnaires, or additional evidence via our API
  • Active vendor risk waivers now appear in the Vendor Report as well as Risk Profile, Risk Assessment, and Portfolio Risk Profile exports
  • Compensating control information for questionnaire risks is now visible on the questionnaire details page
  • Waiving a risk from specific questionnaire now only selects the risk from the corresponding questionnaire
  • Fixed bug where compensating control information was being displayed for all questionnaire rather than only the questionnaires that the risk was waived from
  • Fixed issue where Vendor Summary prompted Third-Party Risk Management Services customers to create or edit a questionnaire when one didn’t exist or was in draft
  • Standardized time format in UpGuard API to 6 decimal places
  • Improved text in vendor risk report to support situations where details are not exported
  • Fixed issue where inactive domains were not showing if there were no associated scanning results
  • Fixed issue where parent domain wasn’t showing in tree view when all subdomains were inactive
Waive vendor risks

Waive vendor risks

Abi Tyas Tunggal
Abi Tyas Tunggal
February 8, 2021

We’ve made a small but meaningful improvement to how you manage vendor risks inside UpGuard. Vendor Risk Waivers lets you waive vendor risks identified through automated scanning, questionnaires, and additional evidence.  

This feature is particularly useful for risks identified through questionnaires. For those that are not aware, when you send a questionnaire through the UpGuard platform we automatically identify risks based on the answers provided by your vendor and ask for compensating control information. 

In the past, you couldn’t use this compensating control information to waive the risk even if you were happy with the information provided. Now you can waive risks and remove them from the vendor’s risk profile if the vendor has adequate compensating controls. 

Vendor Risk Waivers is currently in closed beta. If you would like access, please contact UpGuard support.

Learn how to waive a vendor risk.

Detect vendor data leaks

We’re introducing a new managed service called Vendor Data Leaks. As you may be aware, our team of analysts and proprietary data leak detection engine give us an unparalleled ability to find leaked credentials and exposed data before it gets into the wrong hands. 

Vendor Data Leaks extends these capabilities by monitoring for data leaks at your vendors so you know if they’ve exposed data before it impacts your organization. When our data leak detection engine finds an exposure at your vendor, our analysts review the data, assign a severity, and speak to you to get an appropriate vendor contact. 

Once we have a contact, we’ll work directly with the vendor to remediate the issue and notify you when the exposure has been resolved. 

Vendor Data Leaks is currently in closed beta. If you would like more information, please contact UpGuard support

Learn more about vendor data leaks

Other fixes and improvements

  • You can now use the category filter on the risk profile in exports
  • Improved design of export modal
December 2020
Let UpGuard manage your third-party vendor risk

Let UpGuard manage your third-party vendor risk

Abi Tyas Tunggal
Abi Tyas Tunggal
December 15, 2020

Managed Vendors helps you manage your third-party vendor risk. UpGuard analysts assess your vendors and present their findings in a comprehensive report based on the analysis of security questionnaires, compensating control information, public security documentation, and security ratings data. 

Beta users can now see which vendors are managed by UpGuard, request an assessment, and get notified when analysts publish a new assessment from inside the platform. 

Managed Vendors is currently a beta feature. If you are a current Managed Vendors customer or want to learn more about how UpGuard can help you manage your third-party vendor risk, please contact us at support@upguard.com

Learn more about managed vendors and how to use it.

Other fixes and improvements:

  • Added support for filtering by individual CVE on the subsidiary risk profile
  • Standardized and increased character limits on in-app correspondence
  • Risk rating icons and alert colors now match
  • Fixed issue causing questionnaires to become unavailable in Vendor Risk Report when new questionnaire was in draft
What's new in UpGuard | November 2020

What's new in UpGuard | November 2020

Abi Tyas Tunggal
Abi Tyas Tunggal
November 30, 2020

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    We’re adding support for subsidiaries as a beta feature. This makes it easy to identify common misconfigurations and security issues shared across your organization and its subsidiaries.
  • Check icon
    Filters on your portfolio Risk Profile now dynamically apply.
  • Check icon
    The buttons and fields throughout the platform now all look, feel and behave in the same way.
  • Check icon
  • Check icon
Improved input fields, buttons styles, and hover states

Improved input fields, buttons styles, and hover states

Abi Tyas Tunggal
Abi Tyas Tunggal
November 25, 2020

We’ve updated input fields and buttons styles throughout the platform to ensure consistency. Whether you’re searching for findings on your risk profile, looking for a specific vendor, or filtering vulnerabilities, input fields and buttons should now look, feel, and behave in the same way. This makes it easier for new users to get up to speed quickly and for existing users to learn how to use new features as we release them.

In addition to these changes, we’ve made accessibility improvements to our icons by increasing their clickable area and adding hover states. These improvements mean the platform is easier to use for users with smaller screens or poor eyesight.

Other fixes and improvements:

  • Fixed issue where the character limit was longer when creating a remediation request than when editing it
  • Fixed issue causing runtime error on large exports
  • Domains parked with register.com will now appear as inactive
  • Added exception from the non-httpOnly cookie risk for Imperva and Barracuda WAF cookies
  • Fixed issue causing remediation request email to not display company name when there are multiple users on the request
  • Fixed issue causing remediation request timeline to not display the original requester’s name when multiple users are added to the request
Monitor your subsidiaries

Monitor your subsidiaries

Abi Tyas Tunggal
Abi Tyas Tunggal
November 10, 2020

We’re adding support for subsidiaries as a beta feature. This makes it easy to identify common misconfigurations and security issues shared across your organization and its subsidiaries. You can see a tree structure of your organization, click into individual subsidiaries, and dive deep into their risk profile, domains & IPs, vulnerabilities, and even their own subsidiaries. You can also request remediation of identified risks from your subsidiaries.

Examples of things you can do:

  • Find security issues shared across your organization and its subsidiaries
  • Identify subsidiaries with poor security postures
  • Understand your complete security profile from the parent company down to the individual subsidiary.

We hope you’ll find a lot of use for subsidiaries and we think this will make UpGuard work better for many different types of organizations.

If you would like to beta test the subsidiaries feature, please contact us via support@upguard.com or by using the live chat in-app which can be found in the bottom right corner of your screen. Once enabled, subsidiaries will show up under Subsidiaries under the BreachSight section of the sidebar. Click on it to view your subsidiaries and explore the additional functionality that has been released.

How to use subsidiaries to monitor your organization’s attack surface

Dynamic filtering on portfolio risk profile

When you select other filters that impact the list of findings available on your Portfolio Risk Profile, the findings filter now dynamically adjusts to only show the corresponding identified risks. For example, if you choose the risk category Website Risks, the findings will only show those that correspond to that category.

How to filter the portfolio risk profile

Other fixes and improvements

  • Fixed issue causing Excel questionnaire exports to not match the UI
  • Fixed issue where PDF exports would cut off questionnaire answers if they were too long
Create notes inside the UpGuard platform

Create notes inside the UpGuard platform

Abi Tyas Tunggal
Abi Tyas Tunggal
October 28, 2020

You can now leave generic notes about your vendors inside the UpGuard platform without having to upload a file. This means you can drop in any information you need without having to create and upload a separate document.

This could be information about what project the vendor relates to, why the vendor has been engaged, and any other important information like contract dates or SLAs that don’t justify creating and uploading an entire document.

We hope this feature means you can start storing more of your vendor-related information in UpGuard and we can start acting as your central vendor management repository.

Learn how to create notes

Better vendor filtering: NOT operator and unlabelled support

You can now filter your vendors to show any that do not match a particular label (or labels). For example, you can now see all vendors who are NOT labeled with “Customer Data”.

We’ve also added a special label called “unlabelled” which can be used to find all vendors who do not have a label applied or who do have labels if you use the NOT operator.

Learn how to filter your vendors

Other fixes and improvements

  • Improved the design of the top of vendor summary pages
  • Fixed a UI issue that caused long vendor names to push the close button off-screen in the vendors section in the sidebar
  • Improved support for domains parked with GoDaddy, these domains will now appear as inactive
  • Fixed bug causing data leaks reporting to display duplicate keywords under some circumstances
  • Made changes to remediation requests so that risks will update when domains become active or inactive
  • Improved error message for situations where new users try to claim an expired invitation
  • Questionnaires and other vendors assets are now stored when you stop monitoring a vendor and will be there if you start monitoring the vendor again
  • Fixed UI issue causing risk assessment notifications to be hard to dismiss
  • Individual vulnerability notifications can now be dismissed
Scoring algorithm improvements

Scoring algorithm improvements

Abi Tyas Tunggal
Abi Tyas Tunggal
October 12, 2020

We have made significant improvements to our scoring algorithm. From time to time, we adjust our scoring algorithm based on new information gleaned from industry trends, research, and customer feedback. It is important to note that our new scoring algorithm may have reduced the security rating of you and your vendors.

Here’s what improvements were made and why:

  • Lower scores are weighted more heavily: Ensures poor security on an individual domain or IP address is not “averaged out” by otherwise good security across an organization’s infrastructure. An organization is only as secure as its weakest link.
  • Greater emphasis on network security issues: Open ports, while not dangerous on their own, often expose vulnerable services. A great example of this risk is WannaCry, a ransomware cryptoworm that infected more than 300,000 computers by exploiting a zero-day in old versions of a network protocol called SMB. WannaCry was so successful because the SMB port is open by default on many legacy Windows machines.

As part of these improvements, we have combined our brand and reputation risk categories. Brand and reputation are two sides of the same coin and we believe it makes more sense for the underlying risks to fall under the same category.

Please read this article for more information about how you should respond.

Improved design and functionality for vendor reports

We’ve improved the design and functionality of our vendor report.

Based on your feedback, we have reduced the amount of UpGuard branding on the cover page of the report and if you have custom branding enabled, you’ll see reports now include your logo on the cover page.

In addition to these design changes, you can now generate vendor reports from any instant report vendors. These improvements are designed to make the report more accessible and easier to understand for recipients whether they’re internal stakeholders or vendors.

Learn how to generate a vendor report.

Other fixes and improvements

  • Changed font from Lato to Inter, a more modern typeface that is consistent with the new UpGuard website
  • Fixed issue where switching between category and overall views on risk profile caused waivers and custom domains checkbox to become unticked
Better emails: Support for company branding and better calls to action

Better emails: Support for company branding and better calls to action

Abi Tyas Tunggal
Abi Tyas Tunggal
October 1, 2020

We made significant improvements to our emails. The most notable change is that you can now add company branding. Once enabled, your logo will appear at the top of any email sent by us to vendors or internal stakeholders. This makes it easier for recipients to understand who is making the request and will result in less back-and-forth between you and your vendors.

As part of these changes, we’ve also refreshed the design of our emails to make it easier for recipients to know what action they need to take next. This change means faster responses, better engagement, and less time spent chasing up requests.

Learn how to enable co-branding.

Remediation workflow for vulnerabilities

You can now request remediation of verified and unverified vulnerabilities in first and third-party remediation workflows. This is part of our ongoing work to improve our vulnerability management capabilities.

Learn how to request remediation from a vendor.

Export individual identity breaches

You can now export individual identity breaches as a PDF report or to Excel. The PDF report is a great way to communicate the extent of an identity breach to your internal stakeholders without having to invite them to UpGuard.

Learn how to export an identity breach.

Other fixes and improvements

  • Improved in-product references to relevant knowledge base articles
  • The Vendor Risk executive summary now shows the number of vendors your organization monitors over time
  • You can now label your inactive domains and labels will remain when domains transition from inactive to active or active to inactive
  • Data leaks reporting now shows all keywords including those with no results
Improved vulnerability detection and management

Improved vulnerability detection and management

Abi Tyas Tunggal
Abi Tyas Tunggal
September 16, 2020

We’ve expanded our vulnerability detection and management capabilities by differentiating between verified and unverified vulnerabilities.

As UpGuard scans from outside companies’ networks, there are some vulnerabilities we can confirm (verified vulnerabilities), but others we only know may exist (unverified vulnerabilities). When verified vulnerabilities are detected, you’ll also be able to see them on your, and your vendors’, risk profiles and use them in our remediation and risk waiver workflows.

In addition, you now can ignore unverified vulnerabilities to remove them from the vulnerabilities list. This is different from a risk waiver because you are signaling that the risk doesn’t exist, as opposed to a risk waiver where you are accepting the risk.

To learn how to use our vulnerabilities feature, see our articles on UpGuard BreachSight vulnerabilities and UpGuard Vendor Risk vulnerabilities.

Audit log

Administrators can now see an audit log of important events in the UpGuard platform and who actioned them.

This will allow you to see, for example, who has logged in, who has had their permissions changed, whether an UpGuard employee has viewed your account, when a questionnaire has been sent, when a risk assessment has been published, and much, much more.

Learn about the events tracked through our audit log.

Six new questionnaires

As part of our continued investment in the platform, we’re releasing six new questionnaires:

  • COBIT 5 Security Standard Questionnaire: Assesses compliance against the Control Objectives for Information and Related Technologies Framework created by ISACA.
  • ISA 62443-2-1:2009 Security Standard Questionnaire: Assesses compliance against the ISA 62443-2-1:2009 standard for industrial automation and control systems.
  • ISA 62443-3-3:2013 Security Standard Questionnaire: Assesses compliance against technical control system requirements associated with the seven foundational requirements (FRs) described in IEC 62443-1-1.
  • GDPR Security Standard Questionnaire: Assesses compliance against the personal information disclosure requirements outlined in the European Union's General Data Protection Regulation (GPDR).
  • CIS Controls 7.1 Security Standard Questionnaire: Assesses compliance against the best practice guidelines for cybersecurity outlined in 20 CIS Controls.
  • NIST SP 800-53 Rev. 4 Security Standard Questionnaire: Assesses compliance against the security and privacy controls required for all U.S. federal information systems except those related to national security.

Other fixes and improvements

  • We’ve broken up Documents & Contacts into two separate pages (Documents and Contacts)
  • Documents now includes all file-based evidence for a vendor and is categorized by source: general documents, additional evidence, or questionnaire responses
  • Documents added as additional evidence are now available in the vendor’s Documents & Contacts
  • Prioritized typosquatting results to first show homogylphs with only one substitute character and where characters look similar to the original domain.
  • UpGuard analysts can now redact a sensitive URL on a data leaks finding
  • Improved the readability of cookie-based automated scanning results
  • Added parked domain detection for registrar CSC
  • Fixed an issue where users on Chromebooks couldn’t upload files
New vendor risk report

New vendor risk report

Abi Tyas Tunggal
Abi Tyas Tunggal
September 2, 2020

We added a new downloadable report to UpGuard. Now you can generate a report that outlines the security posture of any monitored vendor and share it. Reports can be configured to include automated scanning, questionnaires, and additional evidence, or be based on completed risk assessments. It’s also a nice way to introduce UpGuard to your colleagues, board members, or vendors without having to invite them to the platform.

We also added context around each identified risk and remediation recommendations that can be used to drive decision-making, speed up vendor due diligence, and drive remediation efforts.

Learn how to generate a vendor report

Additional evidence

At the start of August, we released additional evidence to select customers. Since then we have improved the functionality. We’re excited about this as it enables many of you to capture risks identified in documents that your vendors have proactively published to their websites. Starting today, additional evidence is available for all UpGuard VendorRisk users and we’ll keep improving it over time.

Learn how to capture additional evidence

Other fixes and improvements

  • Reports can now be archived and deleted
  • Added search to reports page
  • Improved search and filter functionality to support renamed vendors
  • Increased max vendor name length from 50 characters to 150 characters
  • Fixed bug when extracting risks from completed questionnaires
  • Several fixes to read-only users including removing their ability to dismiss notifications
Additional evidence

Additional evidence

Abi Tyas Tunggal
Abi Tyas Tunggal
August 6, 2020

We've released a new feature called additional evidence in closed beta that will roll out to the entire user base in two weeks. If you would like access now, please get in touch.

While we recommend you use UpGuard's security questionnaires and automated scanning tools to assess your vendors, in some situations you may need to capture additional evidence about a vendor.

For example, you may send a questionnaire to a large SaaS vendor only to be directed to a page on their website that hosts complete security questionnaires, audit reports, and certificates. These documents provide insights into the vendor's security posture and attack surface.

Additional evidence allows you to capture and store this security or compliance-related documentation and associate any identified risks. Once identified, you can choose to include these risks in the vendor's risk profile, and cite them as part of a risk assessment.

Learn how to capture additional evidence here.

Other improvements and fixes

  • Data leaks customers can now see search results from the dark web and Google searches
Improved WordPress information

Improved WordPress information

Abi Tyas Tunggal
Abi Tyas Tunggal
July 21, 2020

A common misconfiguration for WordPress sites is to expose the names of users. We now display the actual user list in the UpGuard platform when this risk is detected.

Additionally, we now explicitly check for old versions of WordPress that have known vulnerabilities that can be exploited.

Other improvements and fixes

  • You can now retrieve the current set of risks from a vendor via our API.
  • Risks are now prepopulated when you request remediation through the Portfolio Risk Profile.
  • Questionnaire due dates can now be changed. If you want to change a questionnaire's due date, click on the questionnaire, click the "actions" button, and then click "Set due date".
  • You can now export to PDF and Excel in more places.
  • When you have filters active and export data to PDF, the PDF that is generated will now display the filters you used.
  • The check for certificates that are about to expire now triggers when a certificate is within 20 days of expiring, rather than 30. This change is designed to reduce the number of false positives as some popular certificates (like LetsEncrypt) can be set to automatically renew when there are less than 30 days to expiry.
Improved webhook integrations

Improved webhook integrations

Abi Tyas Tunggal
Abi Tyas Tunggal
July 7, 2020

In addition to our API, UpGuard uses webhooks to notify other applications when an event happens in your account. This could be when an identity breach or data leak is detected, the security rating of a vendor drops below a threshold, or when a user requests access to your Shared Profile.

Our improved webhook integration allows you to customize the payload you send to the webhook. This means you can push data into our systems without having to support our default payload format.

If you’re an UpGuard account admin, you can set up new and configure existing webhook integrations from Account Settings -> Integrations, or by clicking here.

If you need a hand setting up your first integration, please read our article on how to integrate UpGuard with other services.

Vulnerabilities are now available through our API

The UpGuard API now lets you return the list of vulnerabilities detected for your organization and your vendors. Click here for details.

Other improvements and fixes

  • When you filter your vendor portfolio based on labels you can now choose whether you want to see vendors that match any of the labels applied or restrict the results to only vendors who have all labels applied.
  • You can now export from the "Vendors" page in Excel and PDF formats
Data Leaks Reporting

Data Leaks Reporting

Abi Tyas Tunggal
Abi Tyas Tunggal
June 23, 2020

We're releasing a new feature for our Data Leaks customers called Data Leaks Reporting. It provides detailed analytics on the keywords you have provided us.

You'll be able to see which research results were classified as safe (by our algorithms or analysts), and which resulted in findings.

Please note: This feature will be rolled out over the coming week. In the meantime, be sure to check out our knowledge base article on Data Leaks Reporting.

If you are a current UpGuard customer and are interested in the Data Leaks module. Please contact your Technical Account Manager or click the chat widget in the lower right corner of your screen.

UpGuard Vendor Risk

We've made some enhancements to the export functionality of Portfolio Risk Profile. You'll now notice that when you export data it will include the details of the specific risks identified at each vendor.

Read our knowledge base article on how to export from the Portfolio Risk Profile for more information.

UpGuard BreachSight

We've also improved the export functionality of Vulnerabilities. When you export vulnerabilities, we now include the description of the CVE in the export.

If you would like to learn more about our Vulnerabilities module, read our knowledge base article here.

Shared Profile

Shared Profile

Abi Tyas Tunggal
Abi Tyas Tunggal
June 10, 2020

We've made it easier to control who has access to your Shared Profile. You can now choose to give access to any registered UpGuard user or only to people you explicitly approve.

For context, a Shared Profile makes it easier to respond to security queries by allowing you to proactively publish information, such as completed security questionnaires or a SOC 2 report, alongside your security rating.

This saves your team time by allowing you to share vital information for potential and current customers without having to respond to the same questions over and over.

If you haven't contacted us to enable the Shared Profile functionality and would like to use it, please do so via support@upguard.com or via the chat widget in the bottom right-hand corner of your screen.

And if you'd like to configure your company's Shared Profile or access level, you can do so from the "My Shared Profile" page.

Go to My Shared Profile

Improved knowledge base

To help you and your team get up to speed with existing and new features inside the UpGuard platform - we're rolling out a new knowledge base.

If you want us to explain how to use any of our features or what we consider best practices, please reach out to us and we'll do our best to accommodate.  

Go to the UpGuard Knowledge Base

Portfolio Risk Profile

Portfolio Risk Profile

Abi Tyas Tunggal
Abi Tyas Tunggal
May 27, 2020

We’ve released a new feature for UpGuard Vendor Risk customers called Portfolio Risk Profile. Explore this feature in the UpGuard platform.

It allows you to view the overall risk profile of your vendor portfolio in a single place. For example, you can filter down based on specific risks (e.g. open FTP port) or see all the risks associated with vendors that are labeled as “in-use”.

You can read more about what the Portfolio Risk profile is here, learn how to use its filter functionality here, and learn how to export data here.

In other news, you can now filter Executive Summary Reports across UpGuard Vendor Risk and UpGuard BreachSight.

You can filter by label or score range in the UpGuard Vendor Risk Executive Summary and by label in the UpGuard BreachSight Executive Summary. To apply a filter, click on the “Apply filters” button in the top right-hand corner of your screen.

We’re also investing in our user interface to ensure the UpGuard platform remains consistent, deliberate, and easy to use. Expect more improvements over the next few weeks.

UpGuard Vendor Risk

In summary:

  • Released the Portfolio Risk Profile
  • Added filtering for UpGuard Vendor Risk Executive Summary
  • Improved the UI

UpGuard BreachSight

We’ve improved our typosquatting module. It now checks for permutations based on other top-level domains. For example, if you are monitoring “example.com” we will now return permutations such as “example.net

In summary:

  • Improved typosquatting module
  • Added filtering for the UpGuard BreachSight Executive Summary
  • Improved the UI
Report exporting improvements

Report exporting improvements

Abi Tyas Tunggal
Abi Tyas Tunggal
May 12, 2020

We’ve greatly improved the report export functionality across the UpGuard platform. You can now export your own or a vendor’s risk profile to Excel. The Excel file contains a row for each combination of risk and domain / IP.

You’ll also notice that reports reflect any filters you have in place, such as label-based or score-based filtering. To try this out, log in to the UpGuard platform > go to your Risk Profile > apply a filter > click export.

You’ll see there is an option to apply active filters, as well as to export to PDF or Excel.

Additionally, we’ve made some changes to how we report on and classify domains and IP addresses across both UpGuard Vendor Risk and UpGuard BreachSight:

  • When a domain or IP is removed (from a vendor’s infrastructure or your own), you will now see a corresponding event in the “changes” view.
  • Domains with open ports are now classified as “active” to better reflect an organizations attack surface. Prior to this, domains with open ports but no website or email configuration were classified as “inactive”.
  • Parked domains at several registrars are now considered “inactive”. If you have parked domains that do not appear inactive, please contact UpGuard Support and we can set them as “inactive”.

We also made a small change to our scoring engine. The "HTTP still accessible" check will now fail for domains that respond with a 4xx/5xx HTTP status code over plain HTTP. Previously only sites responding with 200 failed this check.

UpGuard Vendor Risk

We’ve made UpGuard Vendor Risk specific improvements:

  • Domains and IPs are now viewable from Risk Assessments. This means when you conduct a risk assessment on a vendor, you can use the list of Domains and IPs monitored by UpGuard, as well as their associated risks, as part of the evidence for that assessment.
  • We’ve made some improvements to how we collect fourth-party information for our Concentration Risk and Supply Chain modules. If you would like to know more about these modules, please contact UpGuard Support.

UpGuard BreachSight

We’ve made UpGuard BreachSight specific improvements:

  • The Identity Breaches API now includes the data classification for each branch, such as whether it contains passwords, PII, or other sensitive information.
  • Vulnerability alerts are now grouped into a single email. This means if you enable email notifications for new CVEs discoveries, we will only send you one email per day that outlines all impacted domains and IPs. You can manage your notifications by clicking here.
Deeplinking, category scores and revoke certificate checks

Deeplinking, category scores and revoke certificate checks

Abi Tyas Tunggal
Abi Tyas Tunggal
April 28, 2020

We've made some changes to how we are structuring the sidebar in the UpGuard CyberRisk. The Executive Summary is now split into two separate pages:

This better reflects the nature of the data contained in each page and ensures there is a consistent separation between UpGuard Vendor Risk and UpGuard BreachSight. Additionally, we've reordered some other menu items to improve usability.

Other product-wide improvements in this release include:

  • Deeplinking. If you click an UpGuard link, such as an email notification, and are not logged in, after logging in you will be redirected to the page you were trying to access
  • Category scores. We've improved our API and have made category scores available through the Vendor List API endpoint
  • Revoked certificate check. This is a new check part of our automated scanning

UpGuard Vendor Risk improvements

We've improved the ability to drill down into specific details on the UpGuard Vendor Risk Executive Summary, you can now:

  • See which vendors fall within each score range in Current Risk Ratings Breakdown
  • Navigate to the details of a specific vendor in Highest and Lowest Rated Vendors
  • See what products your vendors are using in Supply Chain Risk Section

Additionally, we've now:

  • Display supported file types on the Documents and Contacts page.
  • Have a new app or email notification type for when a Risk Assessment is published. If you would like to receive these notifications, head to the Notifications page.

UpGuard BreachSight improvements

We've improved the UpGuard BreachSight Executive Summary by:

  • Allowing you to add up to ten competitors to Competitor Analysis

Additionally, we've made a few small improvements:

Improvements to how we display domains and IPs

Improvements to how we display domains and IPs

Abi Tyas Tunggal
Abi Tyas Tunggal
April 14, 2020

Over the next week, we'll be rolling out a change to how we display domains and IPs in the UpGuard platform.

Going forward, we will display inactive domains and IPs across your own infrastructure and that of your vendors. We previously only reported on active domains and IP, e.g. ones running a website or with MX records. We track many more domains than what appears in the active section and now provide a way for you to view these.

UpGuard Vendor Risk improvements

We’ve also improved the design and usability of our new Risk Assessment feature, making it easier to create and read risk assessments. As always, if you’d like to try the feature please let us know via support@upguard.com.

And if your account is configured to factor in questionnaire scores into the overall score of a vendor, you will now see a breakdown of the score on their risk profile and vendor summary page.

In short, we now show the total score, questionnaire score, and score based on automated scanning.

UpGuard BreachSight improvements

We’ve added new functionality and data to the Identity breaches module:

  • You can now send email notifications to those who are exposed in third-party data breaches. This is a good way to remind staff about the appropriate use of work email accounts, discourage staff from reusing passwords, or to remind people to change their passwords.
  • Breaches can now be archived once you have processed them, e.g. once you’ve notified impacted employees.
  • Our data set of breaches now includes additional breaches that were discovered by the UpGuard Cyber Research team.
Introducing Risk Assessment

Introducing Risk Assessment

Abi Tyas Tunggal
Abi Tyas Tunggal
March 19, 2020

We launched a new feature called Risk Assessment. This feature is currently available on request, if you would like access please email support@upguard.com.

Risk Assessment allows you to:

  • Specify the evidence you reviewed as part of the assessment (including questionnaires and automated scan results)
  • Document your findings based on this evidence
  • Record who conducted the assessment
  • Export the assessment as a PDF
  • Make the assessment visible within the app to all the users of your account

UpGuard Vendor Risk improvements

We've also released two Pandemic questionnaires designed to help you assess your vendors' readiness to deal with the current pandemic, as well as improved PDF report generation.

When you export information to PDF, it will now appear in the sidebar under a new menu item called "Reports". This also fixes the bug where generating reports for large vendors would sometimes time out.

UpGuard BreachSight improvements

We've added an API that returns information about your company's identity breaches, made it easier to tell which domains and IPs you've added manually, and pushed quite a few bug fixes and minor tweaks.

New Vendor Summary

New Vendor Summary

Abi Tyas Tunggal
Abi Tyas Tunggal
February 19, 2020

New Vendor Summary: When you look up a vendor, the first page you see is now a new Vendor Summary. This provides a management-level view of the vendor, and can also be exported as a pdf.

Other improvements

  • Enhanced Risk Profile: We’ve made a number of improvements to the Risk Profile page, including the ability to filter by risk category (e.g. website risks, email risks, etc.)
  • Websites & APIs is now called Domains and IPs
  • Greatly enhanced port scanning: We now explicitly check for nearly 200 services running across thousands of ports. We also report any services that we can’t identify, and any open ports where no services are detected.
  • We’ve made some changes to our scoring algorithm: Updated email security checks: this includes a new check for the DMARC policy (which fails if p=none). For information on email security, see https://www.upguard.com/blog/email-security
  • Improved checking for open ports/services: As part of enhancing our port scanning capability, we have reviewed and updated the severity of risks associated with open ports/services. The HSTS checks now include a check against the Chromium preload list. If a domain is on the preload list, all HSTS checks pass for that domain and all its subdomainsUpdated domain status checks for .au domains: We no longer check for clientTransferProhibited or serverRenewProhibited on .au domains, as they are not applicable
  • Changes to open ports can now be reflected in CyberRisk sooner, by pressing the “RESCAN” button. When a port is closed, manually requesting a rescan of the website will now detect the change to the port sooner (usually within a day).
  • WHOIS lookup within Typosquatting: When you view a registered permutation of a domain you are monitoring for typosquatting, you can now see that permutation’s WHOIS information
  • New Questionnaires: We have added questionnaires for PCI DSS, CPPA, and Modern Slavery.
Exporting vulnerabilities

Exporting vulnerabilities

Abi Tyas Tunggal
Abi Tyas Tunggal
January 22, 2020
  • Export Vulnerabilities: You can now export the list of vulnerabilities
  • Better domain discovery: We’ve made further improvements to our domain discovery engine, which results in more domains and subdomains being discovered.
  • Various usability tweaks and bug fixes
2019
NIST CSF Questionnaire

NIST CSF Questionnaire

Abi Tyas Tunggal
Abi Tyas Tunggal
December 23, 2019

We have released a new questionnaire that is mapped to NIST CSF. To use this questionnaire, you'll first need to enable it from the "Questionnaire Library" section of Vendor Risk. When one of your vendors completes a questionnaire, any risks identified will be mapped to the corresponding CSF control categories.

Share your security profile

Share your security profile

Abi Tyas Tunggal
Abi Tyas Tunggal
December 11, 2019
  • Share your security profile: Make it easier for other companies to assess your cybersecurity posture by proactively publishing security-related information including questionnaire responses and other security documents. Control who has access to these documents, and see who has viewed them. Invite companies to view your Shared Profile when they are assessing you, and spend less time completing security questionnaires. Contact UpGuard Support to enable your Shared Profile.
  • Export questionnaires: Download completed questionnaires as pdfs.
  • Questionnaire workflow improvements: When you receive a completed questionnaire, mark it as “in review” to keep track of who in your team is reviewing which questionnaire response.
  • API enhancements: Data leaks are now available through the API. See the API documentation for more details.
  • Various bug fixes
Executive Summary Report

Executive Summary Report

Abi Tyas Tunggal
Abi Tyas Tunggal
November 11, 2019
  • Executive Summary Report: We’ve created a new report to provide a summary of your own cybersecurity posture, and that of your vendors. We’ll be activating it for existing customers over the next week or so.  As part of this change you’ll notice the “Dashboard” page has been replaced with two new pages - the "Executive Summary", and a dedicated “Notifications” page.
  • Enhanced file upload feature for questionnaires: When providing evidence as part of responding to a security questionnaire, you can now point to a file that you've already uploaded. This allows the same file to be referenced as evidence for multiple questions without having to upload multiple copies of it.
  • Various bug fixes, including some display issues related to the Microsoft Edge browser.
Improved notifications

Improved notifications

Abi Tyas Tunggal
Abi Tyas Tunggal
October 16, 2019
  • You can now receive notifications when your company's score drops below a certain threshold, or by a certain number of points.  To opt in and out of these notifications, use the "manage notifications" link on the dashboard page. To customise the set notifications available to users in your account, go to Account Settings -> Notifications (admin users only).
  • The Insecure SSL/TLS Versions check now fails for TLSv1.1, in addition to SSLv2, SSLv3, and TLSv1.0. See RFC 7525 for more detail on why TLSv1.1 should be disabled.
  • We fixed a bug where for some websites we would incorrectly report old versions of TLS as being available.
  • We improved the way we display vendors who's primary domain does not have a website running on it.
WordPress scanning

WordPress scanning

Abi Tyas Tunggal
Abi Tyas Tunggal
September 18, 2019
  • WordPress scanning: Whenever we detect that a site uses WordPress, we now run a series of additional security checks. These checks identify configuration problems that leave WordPress sites vulnerable to attack.
  • Supply Chain Concentration Risk (beta):  We have launched a beta of a new feature which highlights where companies in your supply chain (e.g. your vendors) rely on common underlying technology (e.g. hosting providers, email providers).  Contact UpGuard Support if you would like early access to this feature.
  • The character limit for messages you include when sending questionnaires has been increased from 300 to 1000
  • Various bug fixes
Vendors and instant reports

Vendors and instant reports

Abi Tyas Tunggal
Abi Tyas Tunggal
September 3, 2019
  • We’ve improved the way we display your list of vendors and instant reports.
  • You can now search for vendors by URL as well as name
  • We’ve improved the way questionnaires are displayed, including making it easier to view the risks, and improving the question numbering
  • We've changed the algorithm for scoring questionnaires to improve the way unanswered questions are weighted.
  • We’ve improved the way “Assurance” customers view their customer portfolio
Add custom labels

Add custom labels

Abi Tyas Tunggal
Abi Tyas Tunggal
August 7, 2019
  • You can now add custom labels to your websites in BreachSight, just like the labels you can already add to your vendors in VendorRisk. You can then use labels to filter websites on all pages where your websites are shown.
  • UpGuard has now been added as one of your monitored vendors in VendorRisk, if you were not monitoring the UpGuard vendor already. This will not count towards the available monitored vendor slots in your account. If you are not using VendorRisk already, you will now be able to access it, with UpGuard as your only monitored vendor.
  • We've improved our risk model for redirect domains. These are domains that redirect users to a different domain, and do not themselves host a website. Before this change, if example.co.uk redirected to example.com, some of the risks that we scan for were only being identified on example.com, and example.co.uk was not being checked for all possible risks. With this change, all risks applicable to example.co.uk will now be correctly identified. The most significant new risks that you may start seeing on redirect domains are related to HTTPS support and SSL certificate issues. You may notice some fluctuations in website scores as this change is rolled out, but the end result will be a more accurate reflection of the risks associated with these domains.
  • It's now easier to manage your Cyber Risk API keys from your account Settings page. You can have multiple active API keys, and specific keys can be deleted. This allows API keys to be rotated more easily, when required.
  • Various bug fixes.
  • You will now be notified on your Cyber Risk dashboard when we release new features in future. Keep an eye out for the notification.
Add "private" notes to questionnaires and remediation requests

Add "private" notes to questionnaires and remediation requests

Abi Tyas Tunggal
Abi Tyas Tunggal
July 23, 2019
  • You can now add "private" notes to questionnaires and remediation requests. These are visible to users of your account, but not to the recipients of the questionnaire or remediation request.
  • We've improved how we present your own score. When we display your own company's score to you, we can draw on public information (such as the configuration of your websites) as well as private information (such as which vendors you have marked as "in use"). This lets us provide the most complete view of your security posture. When someone else (another CyberRisk customer) looks up your company however, we report your score based only on the publicly available information. This has caused some confusion, and to address this, we've changed the way you see your own score on your "Risk Profile" page. You can now choose to either see your "public" score, or also factor in the private data you have provided.
  • When you manually request a scan for a given website, we are now rescanning for open ports on that website more quickly. At times it may still take a while for refreshed port scan data to flow through, but it should often appear within 10 minutes or so. Note that when ports change from "open" to "filtered" (as opposed to "closed"), it will still take up to 30 days for changes to flow through.
  • When you manually request a scan for a given website, and the scan fails (for instance, if the website is no longer running) we now report the failure, as well as how many times it's failed previously, and when the website will be removed (after 4 consecutive failures).
  • You can now request remediation or create a risk waiver from the Risk Profile page, or while looking at the details of a specific website.
  • We fixed a problem with vulnerabilities where some websites that use shared IP addresses would have vulnerabilities incorrectly assigned to them.
  • We've made a number of UI improvements and bug fixes
Filter vendors by score range and introducing questionnaire library

Filter vendors by score range and introducing questionnaire library

Abi Tyas Tunggal
Abi Tyas Tunggal
July 9, 2019
  • We now allow vendors to be filtered by a score range, and use this to provide a clickthrough from the vendor breakdown on the dashboard.
  • We have extended vendor filtering to cover the contents of the dashboard (including the vendor breakdown) and the remediation list.
  • We have created a questionnaire library, allowing account admins to easily configure which questionnaire types are able to be selected and sent by their users.It also allows non-admin users to browse and preview those questionnaire types that have been selected for the account.
  • Various bug fixes
Simplified Data Leaks workflow

Simplified Data Leaks workflow

Abi Tyas Tunggal
Abi Tyas Tunggal
June 26, 2019
  • The Data Leaks workflow has been simplified. Now there are only 3 states for a Data Leak - Disclosed, Acknowledged, and Closed. The Closed status still includes the reason for closure (Fixed, Not a Risk, or Risk Accepted), and can be verified by an UpGuard analyst as an additional final step.
  • The Documents list on the Questionnaire Details page now includes all documents relevant to the questionnaire, and whether they have been included or not. This allows users to easily see which documents have been uploaded and which have been omitted.
  • Users can now include a message when requesting remediation, which will be visible to the recipient.
  • Users must now include a "justification" when creating a risk waiver which will be visible to the approver, if one exists. If there is a separate approver, their justification will be shown separately.
  • Score history (up to a year if the data is available) is now enabled by default for all accounts.
  • There is a new action in the Actions dropdown to "Send a message" available on the Questionnaire Details screen. This prompts the user to enter a message in the Correspondence section.
  • Admin users can now remove themselves from an account, as long as there is at least one other admin user on the account.
  • Various bug fixes and cross-browser improvements.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape

Book a free demo

Book a free, personalized onboarding call with one of our cybersecurity experts.