UpGuard Release Notes

Learn about new features, changes, and improvements to UpGuard.
March 2024
Import and answer security questionnaires in minutes – for free

Import and answer security questionnaires in minutes – for free

Annie Luu
Annie Luu
March 13, 2024

We’re making it easier than ever to answer security questionnaires with UpGuard’s Trust Exchange. You can now import any security questionnaire in Excel format, along with past responses and other documentation, and use that information to populate the questionnaire with AI-driven suggestions. Save your responses for next time and export the questionnaire back to its original format.

The UpGuard Trust Exchange is free to use. BreachSight and Vendor Risk customers can invite your colleagues to start using the Trust Exchange without affecting your plan’s user limits. 

Other improvements

  • You can now request additional report types through the API. In addition to the Vendor detail, Vendor summary and Board reports you can now request Custom vendor reports, as well as Risk profile, Vulnerability and Domain list exports. To learn more see  How to request a report via the UpGuard API
  • To give you more flexibility to customize your communications when sharing reports we’ve added a new email template for Generated Reports. To learn more see How to set up templates in UpGuard.
  • You can now store longer notes against your Vendors records, with a new character limit of 1000 characters (increased from 500 characters). 
February 2024
Ability to conduct concurrent risk assessments for a single vendor

Ability to conduct concurrent risk assessments for a single vendor

Annie Luu
Annie Luu
February 28, 2024

To give you more flexibility when conducting risk assessments, we’ve added the ability to create multiple concurrent risk assessments for a single vendor. You can now add custom names and scope for each risk assessment, to correspond to the specific purpose and scope of each assessment, such as product or region-based risk assessments.

To learn more about vendor risk assessments and these changes see How to complete a risk assessment.

Introducing the UpGuard Trust Exchange and Content Library

We’re consolidating our existing tools to answer security questionnaires, respond to requests for documentation and choose what to share in your Shared Profile under one banner: the UpGuard Trust Exchange. Plus, we’re introducing a content library, where you can manage and reuse previously uploaded documents. 

  • New: "Trust Exchange" menu item in your navigation
  • New: Content library feature to manage and reuse documents uploaded as part of security questionnaires
  • Move: "My Shared Profile" moves into Trust Exchange 

Improved visibility into your asset inventory with Detected Products

To extend the visibility into your asset inventory in BreachSight, we’ve added a new section called Detected Products that displays in depth information about the software and other products used on your domains and IPs. 

This information extends what is already available in Vulnerabilities – an inventory of software products with known vulnerabilities– to show products in use that may not yet have CVEs. Having this information allows you to audit for unapproved software and respond more quickly when a new vulnerability is discovered for one of the products you use. 

Added link to registrar's abuse page to typosquatting 

When malicious domains impersonating your brand are detected by the Typosquatting module, the next step is to remediate the risk by contacting the domain registrar and reporting the abuse. You can now go straight to the page of the registrar or other relevant internet authority from Typosquatting to begin the takedown process.

Other improvements

  • We have begun the process of rolling out credentials stolen by infostealer malware as an enhancement to Identity Breaches for all customers on the Professional plan and above. 
  • We have added detection for CVE-2024-1709 and other vulnerabilities in ConnectWise ScreenConnect.
  • To make it quicker to download reports we’ve added the ability for users to  download multiple reports at the same time from the Generated reports page
  • This release includes a number of bug fixes.
What’s new in UpGuard | February 2024

What’s new in UpGuard | February 2024

UpGuard Team
UpGuard Team
February 1, 2024

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    To help with auditing for technologies affected by recent, high-impact vulnerabilities, we have added detections for Forta GoAnywhere, Ivanti Connect Secure, Apache Superset, and Gitlab.
  • Check icon
    We have added the ability to customize which domains to include in the risk assessment scope, giving you more flexibility to perform risk assessments on specific products or sub-sets of an organization rather than the entire vendor.
  • Check icon
    To give you more control over questionnaire statuses, we’ve added the ability to restore canceled questionnaires and re-open completed questionnaires.
  • Check icon
  • Check icon
January 2024
Fortra GoAnywhere MFT CVE-2024-0204 detection added

Fortra GoAnywhere MFT CVE-2024-0204 detection added

Annie Luu
Annie Luu
January 30, 2024

CVE-2024-0204, a critical authentication bypass vulnerability in Fortra's GoAnywhere Managed File Transfer (MFT) software, allows unauthorized users to create admin users and bypass authentication requirements.

While this vulnerability is not yet in the Known Exploited Vulnerabilities catalog, GoAnywhere was previously targeted by the Cl0p ransomware group in early 2023, making it crucial to patch now before it’s too late.

Other improvements

  • This release includes a number of bug fixes
  • To give you more control over questionnaire statuses, we’ve added the ability to restore canceled questionnaires and re-open completed questionnaires
  • To help you easily get an overview of tasks statuses, we’ve added % complete and due date columns to remediation request pages, and   % complete to questionnaire list pages
Flexibility for domain inclusion in Risk Assessments

Flexibility for domain inclusion in Risk Assessments

Annie Luu
Annie Luu
January 18, 2024

We have added the ability to customize which domains to include in risk assessments scope, giving you more flexibility to perform risk assessments on specific products or sub-set of an organization rather than the entire vendor. This is one of a broader set of improvements to add more flexibility to the risk assessment workflow delivered over the coming weeks.

To learn more see How to complete a risk assessment.

Detections for Ivanti Connect Secure, Apache Superset, and Gitlab

To help with auditing for technologies affected by recent, high impact vulnerabilities, we have added detections for Ivanti Connect Secure, Apache Superset, and Gitlab. For Superset, any vulnerabilities associated with the affected version will appear. There is currently no patch for the Connect Secure vulnerability, only mitigations, so any detected instances should be investigated to ensure those protections are in place.  

Additional filtering for labels in Domains and IP Addresses

There are now more operators available when filtering the Domains and IPs pages based on labels. Similar to existing functionality in the Vendor Risk Portfolio, you can now choose to match any or all labels, exclude labels, and filter to assets with no labels. 

Other improvements

  • This release includes a number of bug fixes
December 2023
Adjust the severity of additional evidence risks

Adjust the severity of additional evidence risks

Annie Luu
Annie Luu
December 20, 2023

Following on from our recent release that provided the ability to adjust the severity of a questionnaire risk, Vendor Risk customers can now reduce (or increase) the criticality of a risk that originates from additional evidence. This makes it easier for you to manage vendor risks within the platform, and provides you with a more nuanced view of the risks that incorporate compensating controls or other information provided by the vendor. 

Other improvements

  • This release also includes a number of bug fixes

Ability to adjust severity of vendor risks

Ability to adjust severity of vendor risks

Annie Luu
Annie Luu
December 7, 2023

We’ve added the ability to allow users to reduce the criticality of a risk based on compensating control/information provided by the vendor, making it easier for you to manage vendor risks within the platform. In this release we’ve made this available for risks raised from questionnaires, and will be extending this capability for scanning and additional evidence risks in future releases.

To learn more see How to adjust the severity of a risk.

Automation of tiers, labels, portfolios and custom attributes

Vendor Risk customers on our Professional, Corporate, and Enterprise plans can now say ‘goodbye’ to the time-consuming manual work of classifying vendors. Our automation feature allows you to set up rules that trigger when a relationship questionnaire is returned, automatically populating the vendor’s attributes with information gathered in the relationship questionnaire.

Not only does this save time and reduce manual repetitive tasks, it is useful in codifying your vendor classification processes, so you know that the information you’re storing is accurate and consistent. 

To learn more see How to use automation to apply tiers, labels, portfolios and custom attributes to your vendors.

Other improvements

  • We’ve made some improvements to risk assessments including making changes to ensure commentary edits are carried over between versions and on re-assessment
  • This release also includes a number of bug fixes

November 2023
Ability to shortlist key risks in risk assessments

Ability to shortlist key risks in risk assessments

Annie Luu
Annie Luu
November 22, 2023

We’ve added the ability to create a shortlist of key risks as part of a risk assessment, allowing you to highlight important risks and those requiring follow-up. You can choose to include only key risks as part of your risk assessment report,  in lieu of displaying the full list of risks. To learn more see How to complete a risk assessment

API flexible permissions

We’ve revised API permissions to allow a finer-grained set of permissions and visibility:

  • Added a Read/Read&Write flag to allow a given API key to only access GET functions or to be able to access GET/PUT/POST and DELETE functions.
  • Expanded on the current Data Leaks permission to allow an API key to be defined by role.
  • To protect existing integrations all existing API Keys will be granted full access. The new model will only relate to keys generated after this release.

To learn more see UpGuard’s API documentation.

Vendor monitoring API changes

We’ve created specific API endpoints to start monitoring and stop monitoring a vendor. This allows us to follow more established and consistent API design practices as well as restrict the monitoring to only those API Keys that have Vendor Risk Read&Write permissions. In subsequent releases, we will deprecate the “start_monitoring” flag in the /vendor API endpoint and remove that feature:

  • Vendor ID or Primary Host Name) to the list of monitored vendors. This supports the same functionality as our existing /vendor API when start_monitoring = true, such as:

         - The ability to apply labels and tiers; 

          - A wait for a scan feature that scans the vendor before returning the results; 

          - Checks on UpGuard licenses maximum Vendor counts.

  • /vendor/unmonitor – A new endpoint that will remove the specific vendor (based on Vendor ID or Primary Host Name) from the list of monitored vendors.

To learn more see UpGuard’s API documentation.

SysAid vulnerability detection

We’ve added detection for the SysAid product, its version, and associated vulnerabilities, notably CVE-2023-47246 being exploited by the Clop group.

Other improvements

  • This release includes a number of bug fixes.
Remediation available for Additional Evidence risks

Remediation available for Additional Evidence risks

Annie Luu
Annie Luu
November 8, 2023

We’ve made it easier for you to manage risks you have raised for additional evidence documentation by adding the ability to request remediation from your vendors. To learn more see How to capture additional evidence.

Edit Lock-out for completed questionnaires

To give customers more control over their assessment process we’ve added a feature to be able to prevent vendors from updating completed questionnaires. The default behaviour will be to prevent vendor updates to completed questionnaires, but this can be easily controlled at an account level by the Allow changes to completed questionnaires toggle in Questionnaires settings.

Other improvements

  • New fields have been added to Vendor Details API including: risk assessment status, last assessment date, portfolios and notes
  • This release includes a number of bug fixes

October 2023
New SIG Lite questionnaire, plus big improvements to risk assessments

New SIG Lite questionnaire, plus big improvements to risk assessments

Annie Luu
Annie Luu
October 25, 2023

SIG Lite questionnaire added to library

The Shared Assessments Standardized Information Gathering (SIG) Lite questionnaire has been added to our questionnaire library. SIG Lite is designed to provide a broad, high-level understanding of a third party's internal information security controls. Like our other questionnaires SIG includes incorporated cybersecurity ratings, automated risk detection and is integrated with standard questionnaire workflows. To learn more, see Questionnaire Library.

Improved risk assessments 

We’ve made improvements to the risk assessment workflow to make it more intuitive and flexible including:

  • The ability to add comments to individual risks in risk assessments, making it easier to capture all your risk management activity within the platform.
  • Improvements to the commentary section, with a more flexible template that is divided into sections, giving you more flexibility to present the risk assessment report according to your needs.
  • Addition of more merge tags to pre-fill vendor information including scores, tiers and attributes, so you can generate comprehensive pre-filled commentary for your risk assessment.

These improvements have been available in limited release, and are now generally available to all Vendor Risk customers. To learn more see Using the risk assessment framework in UpGuard.

Show date when domains/IPs are first detected

Maintaining control of your asset inventory requires knowing when new sites first become publicly accessible. To help with this we now show the date the domain was first scanned on the domain or IP address details panel.

New workflow to request additional evidence documents

To assist with vendor risk assessments, we have made the process of collecting additional evidence documents (such as certifications and other security documentation) easier by adding a workflow to request additional evidence documents directly from vendors. Vendors can load documents directly to the platform, avoiding having to request and upload those documents outside the platform. To learn more see How to capture additional evidence.

Other improvements

  • We’ve added an unverified vulnerability and compromise detection for Cisco IOS XE CVE-2023-20198.
  • We’ve added a column on the Typosquatting page to allow users to sort by creation date. When a permutation has been registered more recently, it can be an indicator that it is more likely a threat.
  • We’ve built more flexibility into the questionnaire builder, allowing you to add custom numbering to your questionnaire. To learn more see How to use the questionnaire builder.
  • This release also includes a number of bug fixes.
Additional vulnerability detection

Additional vulnerability detection

Annie Luu
Annie Luu
October 10, 2023
  • We added detection for CVE-2023-22515, a vulnerability in Atlassian Confluence that has been actively exploited to add administrators to hosted Confluence instances. 
  • To add visibility into less highly publicized but still commonly exploited vulnerabilities, we’ve also added detections for over 200 WordPress plugins known to have vulnerabilities in some versions. 

Other improvements

  • This release includes a number of bug fixes
  • We’ve enhanced the Vendor Details API to add Score Breakdown, Score Trend, Risk Counts, Automated Scanning Counts, and Attributes
September 2023
What’s New in UpGuard | September 2023

What’s New in UpGuard | September 2023

UpGuard Team
UpGuard Team
September 30, 2023

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    AI Autofill utilizes the recipient’s past questionnaire responses to make smart suggestions, allowing them to spend less time on painful, manual copy-and-paste processes, and more time focusing on fine-tuning responses and improving their answer repository.
  • Check icon
    You can now create and save custom report templates in the Reports Library, which can then be used by you and others in your organization to run custom reports. We have also enhanced our report Library display and navigation to make it quicker and easier to find and run the reports you need.
  • Check icon
    We’ve made some improvements to make it easier for you to track and manage Identity Breaches, such as improved filtering so you can now filter the list of breaches by severity, specific data types exposed, number of people involved, and date.
  • Check icon
  • Check icon
Identity Breaches uplift

Identity Breaches uplift

Annie Luu
Annie Luu
September 28, 2023

We’ve made some improvements to make it easier for you to track and manage Identity Breaches. We’ve improved filtering so you can now filter the list of breaches by severity, specific data types exposed, number of people involved, and date. This follows on from recent changes to assign an identity breach to users within your organization, and add comments to the breach to track your progress and activity. 

To learn more see How to collaborate on Identity Breaches.

Improved risk assessments including pre-filled commentary template - now in BETA

We’ve made improvements to the risk assessment workflow to make it more intuitive and flexible including:

  • Improvements to the commentary section, by providing a more flexible template, divided into sections to give you more flexibility to present the risk assessment report according to your needs.
  • Addition of more merge tags so you can pre-fill vendor information including scores, tiers and attributes so you can generate comprehensive pre-filled commentary for your risk assessment.

To learn more see How to use the vendor risk assessment framework (BETA).

These improvements are now available in limited release to our BETA customer group. Talk to your account manager if you would like to get early access to these features.

Configure risk visibility for questionnaire recipients

Vendor Risk customers now have the option to disable risks from questionnaires, or configure how the risk is shown to the vendor. This allows greater flexibility in both custom questionnaires and UpGuard template questionnaires. To learn more see How to configure risk visibility within questionnaires.

Other improvements

  • Additional vulnerabilities. We’ve added support for detecting the version and associated vulnerabilities for many more products. 
  • Schedule a report for generation using the public API. Report types supported are Board Summary Report, Board Summary Presentation, BreachSight Summary, BreachSight Detailed, VendorRisk Executive Summary, Vendor Summary, Vendor Detailed. Generated reports can be retrieved through the use of supplied email address(es), a webhook URL or via a secondary API call to obtain a download URL.
  • This release also includes a number of bug fixes
Receive faster responses to questionnaires with our new AI Autofill

Receive faster responses to questionnaires with our new AI Autofill

Annie Luu
Annie Luu
September 14, 2023

The launch of our AI Autofill tool makes it faster and easier for your vendors to respond to security questionnaires, delivering accurate, high-quality results. AI Autofill utilizes the recipient’s past questionnaire responses to make smart suggestions, allowing them to spend less time on painful, manual copy-and-paste processes, and more time focusing on fine-tuning responses and improving their answer repository. Find out more about How to use AI Autofill and our AI Toolkit.

Improved ability to collaborate on identity breaches

We’ve made it easier to collaborate and resolve identity breaches. You can now assign an identity breach to users within your organization, and add comments to the breach to track your progress and activity. To learn more see How to collaborate on Identity Breaches.

Scoring change to TLS and End of Life software risks

We’ve adjusted the impact of risks for end-of-life software products and additional TLS validation. These risks were previously provisional, and have now been updated with a score impact that reflects the risk they pose.

Other improvements

  • We’ve improved the risk assessment framework to better reflect that they are a point-in-time assessment. Questionnaires and other evidence used in risk assessments are now snapshotted, and will not be affected by any activity that happens after the risk assessment. 
  • We’ve released a new version of our ServiceNow Third-Party Risk Management integration, certified for the upcoming Vancouver release. 
  • This release includes a number of bug fixes.
August 2023
Easily convert documents to additional evidence

Easily convert documents to additional evidence

Annie Luu
Annie Luu
August 30, 2023

We’ve made it easier for you to convert documents included with questionnaires and general documents into additional evidence. This allows you to easily classify and add risks to these documents, and use them as part of your vendor risk assessments. To learn more see How to capture additional evidence.

Detection of Citrix ShareFile and Ninja Forms WordPress plugin amidst active exploitation 

Citrix ShareFile has been targeted by attackers to exploit CVE-2023-24489. We now identify which sites are running ShareFile so you can ensure they have been updated to the current version. We also identify sites using the Ninja Forms WordPress plugin, which is being targeted via CVE-2023-37979, CVE-2023-38386, and CVE-2023-3839.

Vulnerability detection for many JavaScript libraries

Our JavaScript vulnerability detection has been extended to include Bootstrap, Chart.js, Handlebars, and many other popular libraries to ensure that websites you depend on aren’t affected by frontend vulnerabilities.  

Other improvements

  • This release includes a number of bug fixes
  • Improvements to collection of dark web posts will capture more breach announcements
Automation of tiers, labels, portfolios and custom attributes—now in beta

Automation of tiers, labels, portfolios and custom attributes—now in beta

Annie Luu
Annie Luu
August 16, 2023

This feature makes populating vendor attributes instant and easy. You’ll now be able to automatically apply tiers, labels, portfolios or custom attributes to your vendors, based on answers collected from an internal relationship questionnaire. With flexible logic and the ability to create simple or complex automation rules, this feature reduces the manual effort required to collect and store information about your vendors, and makes it easy to apply consistent logic across your entire vendor portfolio. 

Automation will be available to Vendor Risk customers on Professional, Corporate and Enterprise plans, and is currently being rolled out to a closed beta release group. To join the beta, get in touch with your Customer Success representative. 

New vulnerability detections added

  • We now detect the actively exploited Ivanti / MobileIron vulnerabilities  CVE-2023-35078, CVE-2023-35081, and CVE-2023-35082.
  • We also detect two Wordpress plugins that are being actively exploited, Advanced Custom Fields and Essential Addons for Elementor. 
  • Unverified vulnerabilities have been added for websites using AngularJS. 

Other improvements

  • Vendor Risk customers can now archive shared questionnaires and additional evidence, to keep your questionnaires view up to date and free of clutter. 
  • This release also contains a number of bug and performance fixes
Customize and save report templates

Customize and save report templates

Annie Luu
Annie Luu
August 2, 2023

You can now create and save custom report templates in the Reports Library, including the ability to add custom commentary and configure which elements to include in your report. Templates can then be used by you and others in your organization to run custom reports. 

We have also made some further improvements to the report Library display and navigation to make it quicker and easier to find and run the reports you need.

The navigation improvements and the ability to customize reports is available to all users, but the ability to save custom templates for re-use is limited to customers on Professional plans and above. 

To learn more about custom reports see How to create a custom report template.

New Vulnerability detections added

  • We now detect jQuery vulnerabilities. These are based on the version of the library in use, and are marked as unverified vulnerabilities with no score impact.
  • Added detections for new vulnerabilities in Atlassian Bamboo (CVE-2023-22506) and Confluence (CVE-2023-22505, CVE-2023-22508). 
  • Improved version detection for Citrix Gateway and ADC vulnerabilities CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467. These vulnerabilities are also known to be exploited and should be investigated if detected. 

Other improvements

  • Improvement to questionnaire builder to allow for optional free text field to be added against single-select and multi-select (radio/checkbox) questions 
  • This release includes a number of bug fixes
July 2023
New bulk upload tool for additional evidence, and more

New bulk upload tool for additional evidence, and more

Annie Luu
Annie Luu
July 19, 2023

This release we’ve introduced a new bulk upload tool for additional evidence in Vendor Risk. Adding additional evidence is vital to maintaining an accurate view of your vendors—and a huge time-saver when it comes to performing faster risk assessments without the need for lengthy questionnaires. Learn more about additional evidence. 

UpGuard’s integration is now compatible with ServiceNow’s latest version

For customers utilizing our ServiceNow integration, you can rest assured that it is compatible with the Utah version of ServiceNow, as well as previous versions Tokyo and San Diego. 

Other improvements

  • This release includes a number of bug fixes
New Board Summary PowerPoint presentation, and improvements to reputation risk detection

New Board Summary PowerPoint presentation, and improvements to reputation risk detection

Annie Luu
Annie Luu
July 5, 2023

This release includes expanded sources for reputation risk detection, improvements to reporting templates, as well as additional evidence enhancements and more. 

Improvements to reputation risk detection

This release includes expanded sources for reputation risk detection, to ensure your assets are better protected against malicious actors. We’ve improved a number of areas, including detection of domains and IPs that are communicating with command and control servers, suspected of brute force login attempts, conducting unsolicited scanning, distributing malware, and hosting phishing sites. These improvements also provide visibility of when a domain or IP has been mistakenly flagged on one of the reputation lists, and allow corrective action to be taken.

UpGuard collects reputational risk data from a variety of sources. We include the source of the data in the risk’s “actual” value so that you have transparency into the information being used.

Board summary report now available as a PowerPoint presentation

Fans of our board summary reporting template will rejoice, as you can now download this report as an editable PowerPoint document for easy customization and sharing. 

Other improvements

  • It is now easier to see when you’ve saved documents against your vendors that might help in your assessment of them—like a SOC2 report, or ISO 27001 certificate. You can now add  “Evidence” and “Questionnaires” columns to the Vendors page, and filter by additional evidence and questionnaire types. 
  • There is now an informational risk present for use of TikTok Analytics.
June 2023
What’s new in UpGuard | June 2023

What’s new in UpGuard | June 2023

UpGuard Team
UpGuard Team
June 30, 2023

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    You can now share risk waivers that you create with organizations that monitor you as a vendor. Vendor Risk users will be able to see if a vendor organization has any public (shared) risk waivers, review them, and choose whether to accept those risk waivers.
  • Check icon
    We’ve improved our scanning, adding new risks to identify software that is past its end-of-life date. These scanning improvements identify the software used by your organization that is no longer supported by its developers and is potentially open to exploitation by threat actors.
  • Check icon
    We’ve developed a new tool, utilizing the power of AI, called AIEnhance. This new feature allows vendors to turn short bullet points or rough draft notes into full-sentence responses with the click of a button.
  • Check icon
  • Check icon
Improved flexibility for BreachSight reports and new subsidiary report

Improved flexibility for BreachSight reports and new subsidiary report

Annie Luu
Annie Luu
June 7, 2023

We have made several improvements to BreachSight reports in this release, including the addition of a new subsidiary report.

  • BreachSight report: we’ve improved visualizations as well as added flexibility to build custom reports and add custom commentary.
  • Organizations that include subsidiaries: the new subsidiary report allows you to run a detailed risk report for your organization and its subsidiaries and compare the performance of subsidiaries over time. 

To learn more about the changes see How to generate a BreachSight report and How to generate a BreachSight Subsidiaries report.

Other improvements

  • Improvements to Vendor Risk Waivers allowing increased flexibility to select and edit domains/IPs or questionnaires included in the risk waiver. 
  • Enhanced filters for questionnaires. With these new filters, you can easily sort through shared assets based on their status, making it even easier to keep track of all important documents and information provided by your vendors.
  • A new Post Breach questionnaire type is now available in the Questionnaire Library. This questionnaire is designed to be sent to a vendor following a breach.
  • This release also includes a number of bug fixes.
May 2023
Improved flexibility for Vendor Risk and Board summary reports

Improved flexibility for Vendor Risk and Board summary reports

Annie Luu
Annie Luu
May 24, 2023

In this release we have made a number of improvements to Vendor reports and the Board summary report. These include improved visualizations as well as increased flexibility to build custom reports and add custom commentary. To learn more about the changes see How to generate a vendor report and How to generate a board summary report.

Other improvements

  • Scheduled reports which were previously only available for higher plans are now available to all customers. To learn more see What are recurring reports.
  • We’ve improved the custom vendor attributes feature to allow multi-select set lists. To learn more about how to use custom vendor attributes to store information about your vendors see How to use custom vendor attributes.
  • We’ve made a change to make it clearer to vendors that a questionnaire has been archived, preventing vendors from editing them. 
  • We’ve made some improvements to the recently released Questionnaire changes view feature to make navigating to see changes even easier. To learn more see How to compare responses using the Questionnaire Changes View.
  • We’ve added low severity risks related to TLS, including use of insecure cipher suites, common or weak Diffie-Hellman primes, and weak public keys. These will initially be released as provisional with no score impact.
  • We’ve made improvements to asset geolocation, now showing the location of the IP address rather than the IP owner.
  • This release also includes a number of bug fixes.
New functionality for vendors, powered by AI

New functionality for vendors, powered by AI

Annie Luu
Annie Luu
May 9, 2023

Today we’re releasing a new tool called AIEnhance, to help vendors respond faster and more accurately to questionnaires. Powered by AI, this feature is the first of its kind, as it allows vendors to turn short bullet points or rough draft notes into full sentence responses with the click of a button. It can correct grammatical mistakes, remove typos, and improve responses instantly without having to leave the questionnaire.

This feature is now in beta, available to all vendors who have been sent an UpGuard standard questionnaire. It is not yet available on custom questionnaires. We welcome feedback as we continue to make it easier and faster to respond to questionnaires. Learn more about AIEnhance.

Improved IP range presentation

The IP Ranges tab will now only show ranges that are wholly owned by the organization you are viewing. 

Risk for VMWare daemon

We will now raise a high severity risk when the VMWare authentication daemon is publicly exposed, a service that is used in products including ESXi. 

Informational risk for Meta Pixel

We will now raise an informational risk when we detect the Meta/Facebook Pixel. While this technology can be implemented benignly, it has been involved in several data breaches where personal health information was improperly transmitted to Meta via the tracking Pixel. 

Improvements to additional evidence 

Vendor Risk customers now have more flexibility to track additional evidence that is attached to a monitored vendor, with these changes:

  • Additional evidence risks are now able to be edited
  • New additional evidence document classification types have been added, alongside the ability to add your own custom types

For more information about these changes see  How to capture additional evidence.

Other improvements

  • This release includes a number of bug fixes
April 2023
New end-of-life software risks

New end-of-life software risks

Annie Luu
Annie Luu
April 27, 2023

We’ve improved our scanning, adding new risks to identify software that is past its end-of-life date, including indicating end-of-life date. End-of-life software no longer receives updates, including for security issues. Using this software is extremely risky as it is likely to have vulnerabilities without patches, and those vulnerabilities are often targeted by threat actors.

To see any end-of-life software risks affecting your organization, login to your Cyber Risk account.

Improve visibility of status for Managed Vendors

We’ve added new Service Status and Analyst Notes fields to the Managed Vendors page to help organizations using Third-Party Risk Management Services to easily see the status of their requests. To learn more about these changes and Third-Party Risk Management Services see How to request a managed service.

Other improvements

  • This release includes a number of bug fixes
General release of Asset Portfolios and Public Risk Waivers

General release of Asset Portfolios and Public Risk Waivers

Annie Luu
Annie Luu
April 13, 2023

These two features which have been in limited beta are now available to all eligible customers. This release also includes additional Excel exports available across the platform, improvements to questionnaire exports, and more. 

Portfolios for your domains in BreachSight

Asset portfolios provide a way to group your domains together to simplify asset management, enforce access controls, and segment reporting. Portfolios are flexible and configurable, allowing you to group assets however best supports your business—by region, business unit, or other internal structures. Newly discovered subdomains will automatically inherit portfolio membership from their parent, ensuring consistent visibility over dynamic footprints. To learn more see  How to use asset portfolios to segment your domains.

This feature is included in all Professional, Corporate and Enterprise plans. Otherwise, to get access to this feature get in touch with your Technical Account Manager or contact us via support@upguard.com

Public Risk waivers

To make it easy for you to share information about compensating controls with UpGuard users in other organizations, you can now share risk waivers that you create with organizations that monitor you as a vendor. To learn more see How to use public risk waivers in Breachsight. 

Vendor Risk users will be able to see if a vendor organization has any public (shared) risk waivers, review them, and choose whether to accept those risk waivers. To learn more see How to use public risk waivers in Vendor Risk.

Excel exports

To make it easier to extract and analyze the information and data you need, we’ve added a number of new Excel exports across the platform. New exports include: 

  • Risk profile changes view
  • Risk waivers
  • Individual remediation requests
  • BreachSight and Vendor Risk executive summary
  • Subsidiaries

Improvements to questionnaire exports

We’ve made improvements to questionnaire exports to allow inclusion of messages and comments. We’ve also added more fields to questionnaire summary exports to help you track and report on questionnaire activity and status across your vendors. 

Other improvements:

  • Updates to risks for non-standard HTTP & HTTPS ports
  • This release includes a number of bug fixes
March 2023
What’s New in UpGuard | March 2023

What’s New in UpGuard | March 2023

UpGuard Team
UpGuard Team
March 31, 2023

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    To promote your security rating to your customers and partners, you can easily embed our score badge on your website.
  • Check icon
    We’ve recently added a new feature to store Trust and Security page links against each vendor organization, making it quicker and easier for you to source and access publicly available security information to perform risk assessments.
  • Check icon
    You can now group your domains together to simplify asset management, enforce access controls, and segment reporting with Asset Portfolios.
  • Check icon
  • Check icon
Promote your security posture by sharing your UpGuard security rating and risk waivers

Promote your security posture by sharing your UpGuard security rating and risk waivers

Annie Luu
Annie Luu
March 29, 2023

To promote your security rating to your customers and partners, you can easily embed our score badge on your website by clicking Share rating in the top right corner of any BreachSight page within the app. Visit How to add your security rating badge to your website to learn more. 

Public Risk waivers - BETA release

To make it easy for you to share information about compensating controls with UpGuard users in other organizations, you can now share risk waivers that you create with organizations that monitor you as a vendor. To learn more see How to use public risk waivers in Breachsight

Vendor Risk users will be able to see if a vendor organization has any public (shared) risk waivers, review them, and choose whether to accept those risk waivers. To learn more see How to use public risk waivers in Vendor Risk 

This feature is now available to Beta customers. If you would like to get early access, get in touch with your Technical Account Manager or contact us via support@upguard.com

Compliance reporting for new ISO 27001 (2022) questionnaire 

Following on from the recent release of the new ISO 27001 (2022) questionnaire, we’ve added a new framework to our compliance reporting to provide an easy way to assess the level of compliance that a vendor has against this standard. To learn more see What is compliance reporting in UpGuard Vendor Risk.

Other improvements

  • Bulk IP address labeling – when importing lists of IP addresses, you can attach labels to them.
  • This release includes a number of bug fixes. 
Your vendor security pages, in one place

Your vendor security pages, in one place

Annie Luu
Annie Luu
March 16, 2023

In this release we have added a new feature to store Trust and Security page links against each vendor organization, making it easier to source and access publicly available security information to perform risk assessments.

  • We have added more than 4,000 links for relevant trust and security pages to the profiles of our most highly-monitored vendors. 
  • Any organization that has a Shared Profile in UpGuard can add additional relevant links to their own profile, making them available to other organizations assessing them in the UpGuard platform.
  • Vendor Risk users can also add links to the profile of any organization they are monitoring to use in their own vendor assessments.

To learn more see How to use Trust and Security pages in UpGuard.

Score change for public headers

The risks for security headers introduced in November 2022 have now been updated from unscored provisional risks to risks with score penalties applied. The penalties for these risks are averaged into the scoring algorithm, so there will be an equal number of domains that incur a score decrease as see a score increase, depending on whether they have implemented these controls at a lower or higher rate than average. You will see an indicator on the Risk Profile timeline so that changes in scores can be attributed to the introduction of penalties for these risks.

Portfolios view for your domains in BreachSight, now in beta

Asset portfolios provide a way to group your domains together to simplify asset management, enforce access controls, and segment reporting. Portfolios are flexible and configurable, allowing you to group assets however best supports your business—by region, business unit, or other internal structures. Newly discovered subdomains will automatically inherit portfolio membership from their parent, ensuring consistent visibility over dynamic footprints. This feature is now in a limited beta test. If you’d like to try it out, get in touch with your Technical Account Manager or contact us via support@upguard.com

Other improvements

  • It’s now easier to find and use Shared Profile documents your vendor has uploaded. These can be found in the Questionnaires, Additional Evidence and Risk Assessments views. 
  • We’ve added a warning if vendors try to submit questionnaire updates without making changes, to cut back on unnecessary steps.
  • We’ve made some changes to the risk profile pages, adding a status column to improve visibility of risk waivers as well as remediation requests. We’ve also made it easier for you to edit your risk waivers if the scope changes.
  • This release includes a number of bug fixes. 
Two major questionnaires updates

Two major questionnaires updates

Annie Luu
Annie Luu
March 1, 2023

This release includes two updates to questionnaires that we think you’re going to want to know about. Firstly, we’ve introduced a new version of our ISO 27001 questionnaire. This new version is in line with the ISO/IEC 27001:2022 standard which was published in late 2022. Secondly, we’ve added the ability for vendors to export the questionnaires from UpGuard, complete them, and import them back into the platform. Read on to learn more.

ISO 27001:2022 Questionnaire update

Now available in the Vendor Risk Questionnaire Library, this update brings our ISO 27001 questionnaire up to date with the latest standard. You will be able to continue to access both the previous version as well as the new one via the Questionnaire Library.

Questionnaire answer import tool – now in beta

Vendors can make use of this new feature to export questionnaires as .XSLX workbooks, add their responses offline, and then import them back to UpGuard to complete the process. This gives vendors the flexibility to complete questionnaires faster and more easily, in the tools of their choosing. This feature is now in beta, with feedback welcome. Learn more about it here

Other improvements

  • We’ve made some layout and sorting improvements to the competitors table for subsidiary-type accounts. 
  • This release includes a number of bug fixes.
February 2023
What’s New in UpGuard | February 2023

What’s New in UpGuard | February 2023

UpGuard Team
UpGuard Team
February 28, 2023

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    We’ve updated our ISO 27001 Questionnaire in line with the latest standard. You can access both the latest version and the previous one via the Questionnaire Library in Vendor Risk.
  • Check icon
    Vendors can now complete questionnaires faster and easier in the tool of their choice via the Questionnaire Answer import tool. This new feature allows vendors to export Questionnaires as an Excel document, add their responses, and import back into the UpGuard Platform to complete the questionnaire.
  • Check icon
    We’ve added a new Risk Assessment Summary report showing the risk assessment status across your vendors
  • Check icon
    We have added additional risks for domains at risk of hijacking. You can now receive notifications of new active domains and IPs, and reduce the time to remediate associated risks.
  • Check icon
Additional risks for domain hijacking

Additional risks for domain hijacking

Annie Luu
Annie Luu
February 15, 2023

We have added additional risks for domains at risk of hijacking. In addition to existing checks for websites that can be taken over, we have now added detection for expired domains in MX record, which could be registered to compromise email security. 

To learn more see How does UpGuard detect sites at risk of subdomain takeover?

Add sorting to competitor analysis in BreachSight 

In the BreachSight Executive Summary, you can now sort the Competitor Analysis panel by name or score to more easily understand how your organization compares to peers.

Improved risk detection for primary domains 

When the example.com and www.example.com versions of a site are different, the risks associated with each version of the site are more accurately reported.

Other improvements

  • Risk detection for Microsoft Exchange now uses the full build version for more accurate detection and resolution of vulnerabilities.
  • Risks are now raised for domains that serve publicly listable cloud storage buckets. Buckets should be configured not to allow public file listing to prevent potential data leaks. 
  • We have exempted more risks specific to Microsoft domains. Generally these risks pertain to SSL/TLS issues that do not appear exploitable and that the domain owners are not able to resolve. 
  • Account administrators can now enforce MFA logins for all users in the account, without having to contact UpGuard support. This feature is available through the User Settings page, and only applies to users that are not using SSO authentication.
  • We’ve streamlined the process for when you stop monitoring a vendor – now your open questionnaires and remediation requests will be automatically archived.
  • This release includes a number of bug fixes.
New Risk Assessment Summary Report

New Risk Assessment Summary Report

Annie Luu
Annie Luu
February 1, 2023

Following on from the addition of risk assessment summary information to the Vendors page, we’ve added a new report showing risk assessment status across your vendors.

The report will give you a useful snapshot to help you:

  • Track and follow up on the status of your in-progress risk assessments
  • See which vendors are due for re-assessment, to help you plan for and schedule assessment activity 
  • See which vendors have not been assessed, so you can plan for future assessments

To learn more see How to generate a vendor risk assessment summary report       

Additional risks for domain hijacking

We have added additional risks for domains at risk of hijacking. If a domain's DNS records point to an expired or unregistered domain, attackers can register that domain and gain access to part of the target's domain namespace. In this release we’ve added subdomain takeover detection for the following additional services:

  • Shopify
  • Campaign Monitor 
  • Kajabi
  • SmartJobBoard
  • HatenaBlog
  • Worksites
  • Uptimerobot
  • Help Juice

 To learn more see How does UpGuard detect sites at risk of subdomain takeover?

Incorporating Managed Vendors into Vendor Risk, and Data Leaks into BreachSight 

In order to simplify our navigation and product offering, we have removed the Cyber Research section in UpGuard. Existing customers will now find Data Leaks included in the BreachSight section, and Managed Vendors included in the Vendor Risk section of the application. There are no changes to entitlements, plans, or the service levels of these products.

Other improvements

  • We’ve made a few more improvements to the Notifications page, to re-order sections and add clearer description text for some notifications. 
  • This release includes a number of bug fixes.
January 2023
Helping you manage in-app and email notifications

Helping you manage in-app and email notifications

Annie Luu
Annie Luu
January 18, 2023

UpGuard’s granular notification system supports many customisable settings that can be overwhelming at first glance. To ensure more effective use of this powerful system, we’ve overhauled the grouping, naming and descriptions of each type of notification. Now, setting up your email and in-app notifications on the Manage Notifications screen is easier to keep track of and understand.

Read more about notifications here:  What are notifications in UpGuard?

Additional risks for domain hijacking

We have added additional risks for domains at risk of hijacking. If a domain's DNS records point to an expired or unregistered domain, attackers can register that domain and gain access to part of the target's domain namespace. In this release we’ve added subdomain takeover detection for the following services: Agile CRM, Strikingly, Anima, Surge.sh.

To learn more see How does UpGuard detect sites at risk of subdomain takeover?

Ability to bulk-update custom vendor attributes

If you’ve been using custom vendor attributes to store important information such as contract expiry date, you will now be able to bulk-edit attributes from the vendors screen. Similar to how you manage tiers, labels and portfolios, this functionality will help you update and assign attributes more quickly and efficiently. 

To learn more see How to use custom vendor attributes

Other improvements

  • In this release we’ve improved the speed of resolving risks relating to closed ports - risks are now resolved immediately when you request a rescan of a domain or IP.
  • This release includes a number of bug fixes.
2022
What’s New in UpGuard | December 2022

What’s New in UpGuard | December 2022

UpGuard Team
UpGuard Team
December 31, 2022

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    Breachsight Users can now see the date that risks were discovered in their risk profile. This new enhancement makes it easier for you to know when risks are introduced to your environment, and assess what changes could have caused them. We’ve also added Date Published for identity breaches to help you better understand the timeline for breach disclosures.
  • Check icon
    If you’ve been using custom vendor attributes to store important dates, such as a contract expiry date, you will now be able to create custom notifications for these attributes. These notifications will help you keep track of these important dates, and can be added as in-app messages in your activity stream, or as email notifications.
  • Check icon
    To make it faster and easier for you to keep track of risk assessment statuses across all of your vendors, we’ve added an Assessment summary section to the Vendors page. This lets you quickly filter your view based on risk assessment status, so you can choose which actions to take next. We’ve also added Assessment author and Reassessment date as columns on the vendors table, and made it easier for you to tailor your vendors page to see the information that’s most important to you.
  • Check icon
  • Check icon
New ways to keep track of risk assessment status across vendors

New ways to keep track of risk assessment status across vendors

Annie Luu
Annie Luu
December 20, 2022

To make it faster and easier for you to keep track of risk assessment statuses across all your vendors, we’ve added an Assessment summary section to the Vendors page. This lets you quickly filter your view based on risk assessment status, so you can choose which actions to take next. 

We’ve also added Assessment author and Reassessment date as columns on the vendors table, and made it easier for you to tailor your vendors page to see the information that’s most important to you. To learn more see What is the Vendors section?

Amazon S3 subdomain takeover detection

To detect sites at risk of subdomain takeover, UpGuard now checks domains for DNS records that point to resources that are not in use and thereby available for others to register. We are rolling this out initially to provide checks on Amazon S3 buckets, with more information available here

Notifications for date-type vendor attributes

If you’ve been using custom vendor attributes to store important dates such as contract expiry date, you will now be able to create custom notifications for these date-type attributes. These notifications will help you keep track of these important dates and can be added as in-app messages in your activity stream or email notifications (email notifications are turned off by default).

To learn more see How to use custom vendor attributes.

Other improvements

  • Risk Profile xlsx exports now include columns for Domain and IP Labels.
  • When viewing the Domains page for your organization or for a vendor, you can now filter the list of domains by their associated risks.
  • We have made some improvements to the questionnaire autofill feature to more accurately detect non-exact matches.
  • This release includes a number of bug fixes.

Enhancements to risk profile to show the date a risk was found

Enhancements to risk profile to show the date a risk was found

Annie Luu
Annie Luu
December 7, 2022

We have enhanced the BreachSight risk profile to show the date that risks were discovered. This makes it easier for you to know when risks are introduced to your environment, and assess what changes could have caused them. 

We’ve also added Date Published for identity breaches to help you better understand the timeline for breach disclosures.  

Questionnaire changes view

Previously in beta, the questionnaire changes view is now available to all Vendor Risk customers. This feature makes it faster and easier to see how responses have changed between versions of a questionnaire, so that you can focus on the information that’s most relevant. To learn more see How to compare responses using the questionnaire changes view.

Other improvements

  • We’ve added PDF export capability to the Data Leaks summary page
  • We’ve increased the character limits for custom attribute and notes fields
  • This release also includes a number of bug fixes
What’s New in UpGuard | November 2022

What’s New in UpGuard | November 2022

UpGuard Team
UpGuard Team
November 30, 2022

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    Beta customers can compare responses between two versions of a questionnaire with our Questionnaire Changes View. This new feature will make it faster and easier for you to reassess your vendors, by allowing you to focus on questionnaire responses that have changed, giving you a more accurate and up-to-date picture of the vendor’s security posture. Talk to your Technical Account Manager or reach out to support@upguard.com to learn more.
  • Check icon
    To help drive the risk assessment process and ensure your vendors respond to you, we’ve added some new notifications to keep track of and follow up on your activity within UpGuard. These include risk reassessment dates, and questionnaire and remediation request due dates. You can configure these notifications to appear in-app on your home screen, as well as via email in your Settings.
  • Check icon
    We’ve added two new questionnaires to the library—the Higher Education Community Vendor Assessment Tool (HECVAT) questionnaire, as well as a HECVAT Lite version—which will help institutions align their vendor risk posture to higher education-specific security controls.
  • Check icon
    You can now quickly and easily identify your organization's highest areas of risk with our CISA Known Exploited Vulnerabilities (KEV) feature. This feature will allow you to prioritize the remediation of vulnerabilities that directly impact your business, and allow you to set up notifications to be informed when a vulnerability you have is added to the KEV list.
  • Check icon
Questionnaire changes view

Questionnaire changes view

Annie Luu
Annie Luu
November 24, 2022

We are rolling out ‘questionnaire changes view’ to our Beta program customers. This feature enables you to compare responses between two versions of a questionnaire side by side, making it significantly faster and easier for you to re-assess your vendors.

The questionnaire changes view allows you to focus in on the responses that have changed. It gives you a more accurate and up-to-date picture of the vendor’s security posture without the risk of having answers that have changed without your knowledge. To learn more about using the changes view, this article has more information.

We are initially releasing the questionnaire changes view to a group of Beta customers. If you would like to be part of the Beta, please reach out to your Customer Success representative or send a request on Intercom. 

Part of the Beta group and have feedback to leave? Share your thoughts here

Notifications for risk reassessment and due dates

We’ve added some new notifications to help keep track of and follow up on your activity within UpGuard including risk reassessment dates, remediation request and questionnaire due dates. 

You can configure these notifications to appear in-app on your home screen and/or via email in Settings. Email notifications will be switched off by default. To learn more check out Notifications in UpGuard.

Inviting a vendor to a free trial

We previously enabled UpGuard Vendor Risk customers to provide 14 days of free access to their vendors. We’ve improved this feature by making the invite button more visible in the platform—this can be found in any vendor’s header next to the vendor name.

Learn more about how you can proactively improve your third party security by providing your vendors access to the UpGuard platform here.

Addition of new HECVAT questionnaires

We’ve added two new questionnaires to the library—the Higher Education Community Vendor Assessment Tool (HECVAT) questionnaire, as well as a HECVAT Lite version—which will help institutions align their vendor risk posture to higher education-specific security controls.

Other improvements

  • Added informational risks to identify unmaintained assets, like those serving default server pages and web directories.
  • Added informational risks for sites without Certificate Authority Authorization records.
  • Data leaks where the developer’s business email address is found in the event history will be broken out into a “Github User” source. Keyword matches that occur in the code contents will continue to be labeled with the “Github” source.
  • Improvements to the performance of notifications. This includes batching a variety of notification types to reduce spam.
  • Improvements to the vendor search experience when used in combination with filters and portfolios.
  • This release includes a number of bug fixes.
CISA known exploited vulnerabilities tags and notifications

CISA known exploited vulnerabilities tags and notifications

Chris Schubert
Chris Schubert
November 9, 2022

You can now quickly identify which vulnerabilities on your assets are on CISA’s list of known exploited vulnerabilities (KEV), pointing you towards your highest areas of risk at a glance. 

At any given time, threat actors are only targeting a small number of vulnerabilities, and this feature will allow you to prioritize the remediation of those vulnerabilities that directly impact your business. As part of this feature, you can also set up notifications to be informed when a vulnerability you have is added to the KEV list.

New Data Leaks home page

The new Data Leaks Home page provides more reporting capabilities for understanding where those mentions of your brand keywords are occurring. UpGuard’s Data Leaks engine processes billions of files each day to identify the small number of sensitive data exposures affecting our customers. This information will help understand your risk profile for leaks and demonstrate your controls for the timely detection of data exposures. Over the coming weeks, this feature will be rolled out to accounts with Data Leaks enabled.

Additional risks for website security headers

We’ve added detection for more risks related to website security headers. These risks will be released in a “provisional state,” meaning they are visible but do not affect scoring. After a provisional period of one month, the risks will be updated to include scoring penalties. 

Improvements to remediation exports

We’ve added new capabilities to the remediation export to assist with tracking and auditing of remediation activity, including:

  • Additional fields in the remediation summary exports
  • Addition of export capability for individual remediation

To learn more about these improvements check out How to export your internal remediation requests and How to export your vendor remediation requests.

Other improvements

  • Added detection for the OpenSSL 3.0 vulnerabilities CVE-2022-3786 and CVE-2022-3602
  • You can now delete risk waivers in UpGuard BreachSight as opposed to archiving them
  • This release includes some more performance improvements 
  • This release includes a number of bug fixes

What’s New in UpGuard | October 2022

What’s New in UpGuard | October 2022

UpGuard Team
UpGuard Team
October 31, 2022

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    We’ve made improvements to Shared Profiles to make it faster and easier for you to assess vendors, and be assessed by vendors. The revamped display of nested documents makes it easier to understand the relationship between questionnaires and their attached documents. We’ve also removed the empty sections of your Shared Profile to viewers, so you can keep their focus on the evidence you’ve made available.
  • Check icon
    The new Health Insurance Portability and Accountability Act (HIPAA) questionnaire allows you to determine if your vendors align with the US Federal HIPAA standard, which relates to the secure handling of Protected Health Information (PHI). Simply send this security questionnaire to your vendors, and UpGuard will automatically generate risks based on the responses.
  • Check icon
    We’ve streamlined the risk assessment process by incorporating risk waivers into the risk review section of the platform. This feature allows you to document justifications and approvals for waiving known risks, in addition to requesting remediation. This consolidates the risk assessment workflow so that you have all relevant information when managing your vendors and their risks.
  • Check icon
    To help reduce the time to remediate risks associated with new active domains and IPs, we've added notifications that will alert you when these new domains and IPs are detected as part of your organization's attack surface. These notifications will be enabled by default in the Home page, and as part of this feature, you can also enable email notifications and modify in-app notifications any time in your Account Settings page.
  • Check icon
Notifications for when new domains and IPs are detected

Notifications for when new domains and IPs are detected

Annie Luu
Annie Luu
October 26, 2022

We've added notifications that will alert you when new domains and IPs are detected as part of your organization's attack surface.

The appearance of new active domains or IPs can pose a risk in itself if the assets are not securely configured for production use, are applications intended only for internal use, or are unauthorized shadow IT. Notifications for new assets can help reduce the time to remediate when such incidents occur. 

These notifications will be enabled by default for the Home page in the Cyber Risk platform. You can also enable email notifications and modify in-app notifications any time in the Account Settings page. To learn more about configuring notifications in UpGuard see What are notifications in UpGuard.

Other improvements

  • For customers that use webhook integrations: all webhook requests from UpGuard will now come from a small set of static source IP addresses. The list of IP addresses is available at https://cdn.cyber-risk.upguard.com/webhook-ips.json. If you have set up webhook integrations behind a firewall you will have to ensure the above IP addresses are allowed by the firewall rules.
  • This release includes some performance improvements 
  • This release includes a number of bug fixes
Risk waivers added to the risk assessment workflow

Risk waivers added to the risk assessment workflow

Annie Luu
Annie Luu
October 13, 2022

In this release we have streamlined the risk assessment process by incorporating risk waivers into the risk review section. The feature allows you to document justifications and approvals for waiving known risks, in addition to requesting remediation. This streamlines the risk assessment workflow so that you have all the relevant information when managing the risks presented. Learn all about using the risk assessment framework in UpGuard

HIPAA questionnaire with risk mapping

We have added a new risk-mapped security questionnaire to the questionnaire library: the Health Insurance Portability and Accountability Act (HIPAA) questionnaire. The HIPAA questionnaire allows organizations to determine if their vendors are compliant with the US Federal HIPAA standard, which relates to the secure handling of Protected Health Information (PHI). 

Simply send this security questionnaire to your vendor and UpGuard will automatically generate risks based on the responses. They can save time by using our new auto-fill functionality to complete the same questionnaire at the touch of a button: Learn more about using questionnaire autofill.

Other improvements

  • We’ve added unverified checks for Microsoft Exchange ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082).
  • We’ve made improvements to our detection of Windows Server versions.
  • Creating a risk waiver will now close associated remediation request risks.
  • Additional audit log events for shared profiles:

            - Revoking a user or organization access

            - Adding, editing or removing assets on the profile

            - Customizing the public info on the profile

  • This release includes a number of bug fixes.
What's new in UpGuard | September 2022

What's new in UpGuard | September 2022

UpGuard Team
UpGuard Team
September 30, 2022

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    To make it faster and easier for Shared Profile owners to ensure that the right users have access to your documents, Shared Profile owners can now upload a non-disclosure agreement template that must be accepted by an organization before the documents housed in the Shared Profile can be viewed by their users.
  • Check icon
    We’ve redesigned the vendor summary page to make it easier for you to see all the information critical to understanding and assessing the security posture of your vendors. As part of the updated vendor summary page, we’ve now consolidated all risk assessment activities and evidence together under the risk assessment framework. This change will help you quickly determine the assessment state of the vendor, manage your workflows, and follow up on any outstanding activities.
  • Check icon
    As a UpGuard Vendor Risk customer, you can now provide your vendors with 14 days of access to the UpGuard Platform. This will give your vendors free access to proactively review and improve their cyber security posture, and help you to build stronger and safer business partnerships with your vendors.
  • Check icon
  • Check icon
Shared Profiles enhancements

Shared Profiles enhancements

Annie Luu
Annie Luu
September 28, 2022

Shared profiles are a great way to proactively provide security information to cut down the time it takes for you to be assessed by another party. You might choose to publish a completed ISO27001 questionnaire or a SOC 2 type 2 report, and share that proactively with your customers instead of being sent another lengthy questionnaire that covers much of the same information. To ensure that these documents are accessed only by the customers you choose, you can set up access protection controls, add an NDA to be agreed to before documents can be downloaded, or a combination of both. Learn more about how to add an NDA to your shared profile here.

As part of this release we’ve made improvements to Shared Profiles. This is part of our commitment to making it easier and faster for you to assess vendors, and be assessed by vendors. The display of nested documents has been revamped, to make it easier to understand the relationship between questionnaires and their attached documents. Additionally, empty sections of your Shared Profile are no longer displayed to viewers, keeping the focus on the evidence you’ve made available.

For more information on Shared Profiles see this link.

Other improvements

  • A tweak to the Vendor Summary Domains and IPs section, to make it easier to see domains and IPs separately
  • This release includes a number of bug fixes
Added protection for Shared Profiles

Added protection for Shared Profiles

Annie Luu
Annie Luu
September 14, 2022

This release includes the ability to enable NDA Protection for your Shared Profile. 

NDA protection for your Shared Profile

To make it easier and faster for Shared Profile owners to ensure that the right users have access to their documents, Shared Profile owners can now upload an NDA (non-disclosure agreement) template. When enabled, visitors to the Shared Profile must accept the terms of the NDA before documents and questionnaires within the Shared Profile can be accessed. 

This feature sits alongside the existing Access Protection feature for Shared Profiles. Shared Profile owners can manage their NDA settings, see which organizations have agreed to the NDA, request an NDA from existing customers, or revoke access to the Shared Profile. 

Learn more about how to implement NDA protection for a Shared Profile.

Other improvements

  • This release also includes a number of bug fixes.
New Vendor Summary page

New Vendor Summary page

Annie Luu
Annie Luu
September 1, 2022

This release includes some exciting enhancements to make it easier to manage and assess your vendors.

Vendor summary page redesign

We’ve redesigned the vendor summary page to make it easier to see all the information that’s critical to understanding and assessing the security posture of your vendors. This includes consolidating all risk assessment activities and evidence together under the risk assessment framework to help you quickly determine the assessment state of the vendor, manage your workflow, and follow up on any outstanding activities.

To learn more about this change and how to use the risk assessment framework check out using the risk assessment framework within the UpGuard platform.

Invite vendors to access their full security profile

UpGuard Vendor Risk customers can now provide their vendors with 14 days of access to the UpGuard Platform. This will give them free access to proactively review and improve their cyber security posture, and help you to build stronger and safer business partnerships with your vendors.

To learn more check out Inviting a vendor to access their full security profile in UpGuard

Other improvements

  • When business email addresses are found in the analysis of documents leaked from ransomware blogs, they will now be published through the Identity Breaches module. Access to this information can help identify the impact of breaches of third or fourth parties. To learn more check out Identity breaches from ransomware leak blogs.
  • This release includes UI improvements to Shared Profile settings and Shared Profile access pages. This includes a new status pill that indicates whether the existing Access Protection option is on or off, and an expanded Settings page replacing the old slide-out modal.
  • We’ve added detection of CVE-2022-36804, a critical severity command injection vulnerability in Atlassian BitBucket Server and Data Center.
  • This release also includes a number of bug fixes.

What's New in UpGuard | August 2022

What's New in UpGuard | August 2022

UpGuard Team
UpGuard Team
August 31, 2022

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    Custom Attributes provides you with a complete view of your vendors within the platform, for effective vendor management, better filtering and sorting of vendors, and easier reporting and analysis by categorizing your vendors based on common themes or attributes.
  • Check icon
    We know that filling out questionnaires can be a time-consuming and repetitive task. To greatly reduce the time involved, we’ve introduced a Questionnaire Autofill feature that scans previous questionnaire responses from a vendor’s organization, and suggests a range of autofill answers. Respondents can then easily review previous responses and use them in the current questionnaire.
  • Check icon
  • Check icon
  • Check icon
Custom Attributes and Questionnaire Autofill

Custom Attributes and Questionnaire Autofill

Annie Luu
Annie Luu
August 16, 2022

This release includes two brand new features which will help accelerate and streamline your vendor management and risk assessment processes.

Custom Attributes

Store additional structured information to help manage the relationship with your vendors and easily sort and group them by common characteristics. This will enable more effective vendor management within the UpGuard platform.

You can define the custom attributes you need, so you can store the information that’s important to your organization. For example, use custom attributes such as Internal Owner, Contract End Date and Cost Center to help manage your vendor relationships within the UpGuard platform.

Check out How to use Custom Vendor Attributes for help setting up and getting the most out of this feature.

Questionnaire Autofill

Filling out questionnaires can be a time-consuming and repetitive task. To greatly reduce the time involved, we are introducing a Questionnaire Autofill feature that scans previous questionnaire responses from a vendor’s organization and suggests autofill answers. Respondents can then easily review previous responses and use them in the current questionnaire where relevant. This will help your vendors respond to questionnaires faster, making it quicker and easier for you to complete vendor risk assessments. 

To learn more about how to use this feature and how it works, check out How to autofill a questionnaire based on your previous responses.

Other improvements

  • This release also includes a number of bug fixes.
What’s new in UpGuard | July 2022

What’s new in UpGuard | July 2022

UpGuard Team
UpGuard Team
July 31, 2022

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    The new Reports Library allows you to see a collection of reports that can be generated from the platform, making it easier and faster for you to access tailor made reports for different stakeholders, all in one central location.
  • Check icon
    You can now produce on-demand reporting, saving you time when communicating with the board and executive team, by generating a report that they can quickly and easily analyze. We’ve also improved our Breachsight Executive Summary report and Vendor Summary reports so that they can be tailored for relevant stakeholders.
  • Check icon
    It’s now easier to quickly focus on the most impactful areas of your third party risk management program, by visualizing your vendor portfolio risk by Security Rating and Tier.
  • Check icon
  • Check icon
New Reporting Hub with Board Summary report

New Reporting Hub with Board Summary report

Annie Luu
Annie Luu
July 20, 2022

For this release we've focused on delivering improvements to executive/board-level reporting. You can now create reports that are specifically tailored to this audience, with the appropriate level of detail and information.

Some of these improvements include:

  • Reworking the way in which you interact with the ‘Reports’ navigation menu item. You can now see a library of reports that can be generated on the platform.
  • A new Board Summary report is now available. This provides a high level snapshot of key factors around your organization’s cyber security posture, including company risk rating, industry average, and severity of risks. This is a quick and easy way to share key information with your executive team and other interested parties.
  • Improved Vendor Summary and Breachsight Executive Summary reports are now available. These give you the option to generate:

          - Predefined summarized versions of the original Vendor and Breachsight Reports, providing a snapshot of key information for your executives.

           - Detailed versions of the reports, which allow you to customize and display all the information your cybersecurity team might need to identify and reduce your third party risks.

For more information on the new reporting features in UpGuard, check out ‘Reporting in UpGuard Cyber Risk’.

Other improvements

  • Subsidiaries are now filtered in alphabetical order, rather than the order they were added/detected.
  • The visibility status of each question is now provided in the excel export of a questionnaire.
  • This release includes a number of bug fixes.
New Vendor Risk Matrix

New Vendor Risk Matrix

Annie Luu
Annie Luu
June 21, 2022

We’ve added a risk matrix to the Vendor Risk Executive Summary that measures vendor security ratings by business impact. This enables you to quickly focus on the most impactful areas of your third party risk management program by visualizing your vendor portfolio risk by Security Rating and Tier.

This feature will help drive action where it matters most, highlighting the vendors of highest concern in the top right of the matrix. You can then click through on each cell to see a filtered list of these vendors and start reducing your cyber risk with maximum impact.

For help setting up tiering to get the most out of this feature, check out ‘How to tier your vendors in UpGuard’.

Other improvements

  • We’ve included ‘Reassessment date’ on the vendor page Excel export. The date is set when completing a risk assessment for a vendor.
  • This release includes a number of bug fixes.
Vendor relationship questionnaire moving out of beta

Vendor relationship questionnaire moving out of beta

Annie Luu
Annie Luu
June 10, 2022

Previously released only to a beta group, the vendor relationship questionnaire feature is now available to all UpGuard Vendor Risk customers. 

To streamline internal collaboration and quickly understand the level of depth required when assessing a new vendor, you can now send a vendor relationship questionnaire to the relevant members of your organization. This enables you to gather and store key information about how you work with your vendors from within Vendor Risk. 

Visit how to use vendor relationship questionnaires to learn how you can set up and use this feature. 

If you would like to join our beta program for early access to future features, please talk to your Technical Account Manager or contact support@upguard.com.

Other improvements

  • You can now filter Vendor Risk questionnaires by status. This enables you to quickly filter your view – for example, to see all questionnaires that are currently in review. 
  • This release also includes a number of bug fixes.
What’s New in UpGuard | May 2022

What’s New in UpGuard | May 2022

UpGuard Team
UpGuard Team
May 31, 2022

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    In-line questionnaire correspondence & annotation - You can now add messages and notes to individual questions within a questionnaire, helping to drive collaboration with your vendors and streamline the process.
  • Check icon
    Vendor portfolios - Vendor portfolios allow you to efficiently group monitored organizations into separate lists for easier management.
  • Check icon
    Vendor relationship questionnaire - Gather and store key information from the people managing the vendor relationship, leading to easier collaboration within your organization when onboarding a new vendor.
  • Check icon
    Improved ‘Monitor Vendor’ page - Quickly and easily monitor a new vendor, label and tier them, add them to a portfolio, and initiate a vendor relationship questionnaire, all within one place.
  • Check icon
In-line questionnaire correspondence & annotation

In-line questionnaire correspondence & annotation

Annie Luu
Annie Luu
May 25, 2022

We have made it easier for you to communicate with your vendors using in-line messages and notes when sending and completing questionnaires.

To drive collaboration and streamline the process, you can now add messages to individual questions within a questionnaire, making it easier to seek clarification on any responses. You will be able to communicate directly with vendors and provide specific instruction on individual questions, allowing vendors to easily seek information from you to speed up the whole process.

This enhancement also allows you to add private notes to individual questions that are only visible to users in your organization. 

These features were previously only available at the overall questionnaire level.

To learn more about how this works you can visit Adding and viewing messages and notes in Security Questionnaires.

Features moving out of Beta

The following features, previously available in limited beta, are now more widely available to Vendor Risk customers as part of this release:

  • The ‘Monitor Vendor’ page has a new look, which enables you to efficiently manage your vendors, by allowing you to review and edit vendor information, add the vendor to portfolios, add vendor tiering and labels, and trigger a vendor relationship questionnaire when onboarding a new vendor.
  • Vendor portfolios, which allow you to efficiently group monitored organizations into seperate lists for easier management. You will be able to add up to 5 portfolios as part of this release (moved to open beta for all vendor risk customers on Starter, Professional, Corporate and Enterprise plans). For help setting up and using vendor portfolios, you can visit How to use portfolios to segment your vendors.

Other improvements

  • This release includes a number of bug fixes
Improved vendor onboarding and management

Improved vendor onboarding and management

Annie Luu
Annie Luu
May 12, 2022

The Vendor Relationship Questionnaire streamlines the process for capturing all relevant  information when onboarding a new vendor, and the new Vendor Portfolios ensures easier categorization and vendor management in addition to the already existing labels and vendor tiering features.

Both of these features have been released to our beta customers ahead of the full release. Please talk to your Technical Account Manager or contact support@upguard.com to find out how to join our beta program to gain early access to these features.

Vendor Relationship Questionnaire

Streamline collaboration within your organization when onboarding a new vendor with the Vendor Relationship Questionnaire. This feature enables you to gather and store key information from the people managing the vendor relationship, allowing you to simplify the overall risk assessment process.

For help with setting up and using your Vendor Relationship Questionnaire you can visit How to use vendor relationship questionnaires.

Vendor Portfolios

You can now efficiently group monitored organizations into seperate lists using the portfolios feature. Portfolios allow you to limit access so that individual users within your team only see the vendors relevant to them. Once setup, this feature allows you to:

  • Easily filter, view and report the performance of  individual portfolios
  • Maintain and report on separate vendor portfolios for different departments or groups within your organization
  • Manage permissions so that users only have access to the portfolios and vendors they need.

For help with setting up and using Vendor Portfolios you can visit How to use portfolios to segment your vendors.

Other improvements

  • This release includes a number of bug fixes
What’s New in UpGuard | April 2022

What’s New in UpGuard | April 2022

UpGuard Team
UpGuard Team
April 30, 2022

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    When you’ve been provided access to a questionnaire through a shared profile, you can now request remediation of any present risks directly.
  • Check icon
    You now have the flexibility to send tailored notifications to any email address, including colleagues who aren’t UpGuard users, emails from other domains, and group email addresses.
  • Check icon
    You can now request the remediation of a risk directly from within a risk assessment, reducing the time it takes to perform and document a vendor risk assessment.
  • Check icon
  • Check icon
Search and filter questionnaires

Search and filter questionnaires

Annie Luu
Annie Luu
April 27, 2022

We’ve made it easier to quickly find questionnaires, with upgrades to the existing ‘Search Questionnaires’ functionality. 

This includes the ability to search by:

  • Vendor name
  • Sender name
  • Questionnaire name
  • Questionnaire type

You can also apply ‘vendor name’ as a filter, in addition to tier, label and score.  For help sending a security questionnaire to your vendors, you can visit ‘How to send security questionnaires in UpGuard Vendor Risk’.

Other improvements

  • Added a 'Remediation' flag to the questionnaire API output 
  • Other bug fixes
Send notifications to any email address

Send notifications to any email address

Chris Schubert
Chris Schubert
April 13, 2022

You now have the flexibility to send tailored notifications to any email address, including other domains, recipients who are not UpGuard users, and group addresses such as security@mycompany.com.

Building the right notification process is critical when securing your company and customer data. By setting up an email integration, this allows you: 

  • The flexibility to automatically notify any email address when a specific event occurs, such as when a new domain or IP is added to your company for verification by the IT department.
  • The ability to customize the messaging for each notification, to provide the required context and information.

For help setting up an email integration, check out 'How to create an email integration in UpGuard'.

Request remediation on shared profile questionnaires

Creating a shared profile is a great way to proactively share your organization’s security posture and related documentation with current and prospective vendors to expedite the assessment process. Now, when you have been provided access to a questionnaire through a shared profile, you can request remediation of these risks directly. For more information, see 'How to remediate risks from shared questionnaires'.

Other improvements

  • This release includes a number of bug fixes
What’s New in UpGuard | March 2022

What’s New in UpGuard | March 2022

UpGuard Team
UpGuard Team
March 31, 2022

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    You can now send issues directly into your Jira Cloud project from UpGuard with our native Jira Cloud integration.
  • Check icon
    We’ve added a new questionnaire to the platform, namely, the Essential Eight, as developed by the Australian Cyber Security Center.
  • Check icon
    Stay up to date with your organization’s attack surface changes, thanks to the new BreachSight email digest.
  • Check icon
  • Check icon
Remediation requests within risk assessments

Remediation requests within risk assessments

Chris Schubert
Chris Schubert
March 30, 2022

One of the key reasons why many organizations look to UpGuard is to reduce the time it takes to perform and document a vendor risk assessment. With remediation requests within the risk assessment, you can now send remediation requests, track the progress of each item under remediation and have a record of the remediation request embedded directly in a point-in-time risk assessment. For help, please see  ‘How to complete a risk assessment’.

Other improvements

  • This release includes a number of bug fixes
BreachSight monthly email digest

BreachSight monthly email digest

Chris Schubert
Chris Schubert
March 16, 2022

Stay up to date with your organization’s attack surface changes with the new BreachSight email digest. You’ll receive a monthly email outlining any changes to your security rating, information about any risks added or resolved, updates to IPs and domains as well as a quick way to review and resolve any associated risks. You can enable/disable this feature in the Manage Notifications section on your home page or from the link within the email itself.

Other improvements

  • Add and remove custom domains/IPs using the public API
  • Add descriptions to files uploaded to questionnaires
  • Bug fixes
Jira Cloud Integration

Jira Cloud Integration

Chris Schubert
Chris Schubert
March 1, 2022

Jira Cloud Integration

You can now send issues directly into your Jira Cloud project from UpGuard with our native Jira Cloud integration. Most Jira issue field types are supported and can be automated based on the content of a notification, providing robust customization options. For example, you could set up this integration to assign a Jira issue to a specific person whenever we detect a new vulnerability among your web assets. Check out this article to learn how to set up the Jira Cloud Integration. 

Essential Eight Questionnaire

The Australian Cyber Security Center (ACSC) developed the Essential Eight in 2017 to protect Microsoft Windows-based internet-connected networks. While the Essential Eight may be applied to cloud services, enterprise mobility, or other operating systems, it was not primarily designed for such purposes. Alternative mitigation strategies may be more appropriate to mitigate unique cyber threats to these environments. 

This iteration of the UpGuard Essential Eight Questionnaire will assess your vendors thoroughly across all eight mitigation strategies and provide the risks identified and scoring out of 950 (as our other questionnaires operate). We understand that the Essential Eight is typically based on maturity ratings which we may explore in future iterations of this questionnaire.

The Essential Eight Questionnaire can be used in conjunction with UpGuard's Anatomy of a Cloud questionnaire to analyze organizations’ cloud computing environments further.

Other improvements

  • You can now amend/edit remediation requests.
  • Bug fixes
What’s New in UpGuard | February 2022

What’s New in UpGuard | February 2022

UpGuard Team
UpGuard Team
February 28, 2022

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    Manually map out fourth-party vendors as you become aware of them, and add any corresponding information about specific products being utilized.
  • Check icon
    Select multiple vendors within the one workflow, and send them the same questionnaire simultaneously.
  • Check icon
  • Check icon
  • Check icon
Send a questionnaire to multiple vendors at once

Send a questionnaire to multiple vendors at once

Chris Schubert
Chris Schubert
February 16, 2022

Send a questionnaire to multiple vendors at once

Sending a questionnaire to multiple vendors previously required you to repeat the questionnaire sending process for each vendor. Now we have streamlined this process, enabling you to easily send many questionnaires at once by selecting multiple vendors within the one workflow. This is particularly useful when a broad impact vulnerability such as Solarwinds or Log4j is discovered and you need to quickly assess your Tier 1 vendors to determine the risk exposure of your organization.

For more information on sending questionnaires, visit our knowledge base article ‘How to send security questionnaires in UpGuard’.

Other improvements

  • Bug fixes
Manually map fourth party vendors

Manually map fourth party vendors

Chris Schubert
Chris Schubert
February 2, 2022

Until now, only automatically discovered fourth parties were able to be viewed in our Fourth Parties feature. Now corporate+ customers can map out fourth party vendors as you become aware of them, and optionally add corresponding information about the specific products being utilized. For more information, see the knowledge base article ‘How to add a fourth party vendor in UpGuard’

Other improvements

  • Performance improvements for the vendor portfolio risk profile.
  • Bug fixes
What’s New in UpGuard | January 2022

What’s New in UpGuard | January 2022

UpGuard Team
UpGuard Team
January 31, 2022

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    Send remediation requests that combine both automated web scanning and questionnaire-based risks, making the remediation process simpler for both you and your vendors.
  • Check icon
    Export Compliance Reports to both PDF and Excel so you can communicate these reports to your auditors and stakeholders.
  • Check icon
    Implement granular user permissions for your Shared Profile so you can custom tailor access and sharing ability.
  • Check icon
  • Check icon
Risk remediation requests now include both web and questionnaire risks

Risk remediation requests now include both web and questionnaire risks

Chris Schubert
Chris Schubert
January 11, 2022

Risk remediation requests now include both web and questionnaire risks

You can now send remediation requests that combine both automated web scanning and questionnaire-based risks, simplifying the process for you and your vendors. It’s also much easier to preview your vendor's projected score once the remediation request has been resolved, allowing you to consider your risk appetite for that vendor.

For help requesting remediation from a vendor, check out: ‘How to request remediation from a vendor’ 

Export Compliance reports into PDF and Excel

In October 2021 we released the compliance reporting feature which enables you to assess your vendor's risk profile against recognized security frameworks such as NIST CSF and ISO27001. You are now able to export these results into PDF or Excel formats for your auditors and other stakeholders.

Granular user permissions for Shared Profiles

You can now assign user specific permissions for your Shared Profile:

  • Read access to the organization's Shared Profile
  • Respond to Shared Profile access requests and invite people to view your Shared Profile
  • Update Shared Profile questionnaires and documents, and set the Shared Profile to published

Check out the ‘Managing user permission for your Shared Profile’  for more information.

Other improvements

  • Vendor comparison selection functionality has been restored and improved
  • Control/Command clicking View questionnaires buttons will now open a new tab
  • Various bug fixes
2021
What's New in UpGuard | December 2021

What's New in UpGuard | December 2021

UpGuard Team
UpGuard Team
December 31, 2021

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    Create a Slack integration directly from the UpGuard platform, enabling you to easily and securely get the information you need from UpGuard, direct to Slack.
  • Check icon
    Add your executives to a VIP list within the identity breaches module, and set up notifications to alert you if anyone on this list is involved in an identity breach.
  • Check icon
    Send questionnaires, request or use shared questionnaires, and add additional evidence from inside our new and improved risk assessments.
  • Check icon
  • Check icon
New and improved risk assessments and more

New and improved risk assessments and more

Chris Schubert
Chris Schubert
December 22, 2021

New and improved risk assessments

Over 60% of cyber security incidents come from trusted vendors. Secure your data and prevent this from happening to your business with our new and improved risk assessments. You can now send questionnaires, request or use shared questionnaires and add additional evidence from inside a risk assessment. When the assessment is completed, set a reassessment date to make sure that you stay up to date with your vendor's risk profiles. Check out ‘How to complete a risk assessment’ for assistance in completing a risk assessment.

Apache Log4J - Critical Vulnerability Questionnaire and automated scanning

Control your Log4J critical vulnerability risk by sending your vendors our new Log4J questionnaire. We've also added an automated scan and verified vulnerability for Log4j CVE-2021-44228. This uses a basic detection mechanism as part of a GET request to a scanned domain, in order to keep our scanning as non-invasive as possible. It is important to note that the absence of this verified vulnerability does not mean that you or your vendors are 100% safe from this vulnerability, but the presence of the vulnerability means that you are likely exposed. Please see our blog post for more information on CVE-2021-44228 (Log4Shell) and how you can minimize your exposure.

Custom Domain for outbound emails

Tailor your workflow notifications to best represent your business, improving your vendors confidence and diligence at opening/fulfilling your requests. By default, notifications and invites to outside parties come from an UpGuard email address. Now customers with co-branding can set up a customized mailing address such as UpGuard@yourbusiness.com or set notifications to come directly from their own email address wherever possible. For help setting this up, check out the knowledge base article ‘Sending outbound emails from a custom address’.

Native Slack integration, VIP identity breach list

Native Slack integration, VIP identity breach list

Chris Schubert
Chris Schubert
December 8, 2021

Slack Integration

Get more value from UpGuard with the new Slack integration. You can create a Slack integration directly within UpGuard, enabling you to securely get the information you need from UpGuard, direct to Slack. You’ll be able to set up notifications to trigger directly into Slack, with the flexibility to display the information you need to act promptly.

Check out our ‘Setting up a Slack integration’ knowledge base article for help getting started.

VIP Identity breach list

The first question we hear our customers ask when an identity breach is reported is ‘are any of our executives exposed’? Now you’ll be able to get peace of mind by adding them to a VIP list within the identity breaches module. You can then set up a VIP identity breach notification to let you know when your VIPs are exposed in an identity breach. It might even be worth setting up a separate Slack channel for VIP identity breach notifications! For more information about the Identity Breaches module - check out this article. 

Other improvements

  • Domains marked as belonging to you on the Domains screen will now be automatically set to “Owned by us” in Typosquatting
  • A number of bug fixes
What’s new in UpGuard | November 2021

What’s new in UpGuard | November 2021

UpGuard Team
UpGuard Team
November 30, 2021

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    You can now assess a vendor’s risk profile by mapping risks against recognized security frameworks like ISO 27001 or NIST CSF.
  • Check icon
    We’ve added support for this associated domain list for each IP address in our excel exports.
  • Check icon
    You’re now able to bulk import vendors to your monitored vendors list by manually entering them, or uploading a CSV.
  • Check icon
  • Check icon
Curated dark web incident reports

Curated dark web incident reports

Chris Schubert
Chris Schubert
November 25, 2021

Curated dark web incident reports 

Many organizations concerned with threat actors operating on the dark web lack visibility into actual activity on the dark web, relying on aggregated metrics of "hacker chatter" to detect and measure risk. Given that dark markets are notorious for scams, data reuse, and intentional misdirection to fool credulous observers, security analysts need visibility into raw data being published on the dark web to verify the veracity of the leak and assess any impact to their organization. UpGuard customers on the Professional tier and up will now see curated posts from ransomware leak blogs on the Incidents and News page tagged as Dark Web. 

Detection of Moodle vulnerabilities

Moodle vulnerabilities are now detected and reported in both BreachSight and Vendor Risk. Currently, it is not possible to detect software versions on many Moodle instances, so vulnerabilities from all versions of Moodle are shown. Stay tuned for further improvements to our Vulnerabilities module in the coming weeks, which should make dealing with this data easier. Learn more about how to use the vulnerabilities module in our knowledge base article “What is UpGuard BreachSight’s vulnerabilities module?

Improvements to Shared Profiles

Other improvements

  • Ignore multiple unverified vulnerabilities at once with the select all option.
  • This release includes a number of bug fixes.
IP address export now includes associated domains

IP address export now includes associated domains

Chris Schubert
Chris Schubert
November 8, 2021

IP address export now includes associated domains

When analyzing IP address information, it can be useful to see the list of domains associated with each IP address. Previously the PDF export of IP addresses showed the associated domains but the Excel version did not. 

We now include the domains associated with each IP address in both the PDF and Excel exports. For more information check out our knowledge base articles: 

Other improvements

  • This release includes a number of bug fixes
What's new in UpGuard | October 2021

What's new in UpGuard | October 2021

UpGuard Team
UpGuard Team
October 31, 2021

Learn about new features, changes, and improvements to UpGuard this month.

  • Check icon
    We’ve added support for Zapier integrations, connecting your UpGuard account to thousands of supported apps.
  • Check icon
    Shared Profiles have been improved by enhancing the visibility of risks, scores, and unanswered questions within Questionnaires in a vendor’s shared profile.
  • Check icon
    Every page in the UpGuard platform now has an information icon in the header that will show you a brief overview of what you can do on the page, as well as page-specific links to further information in our Knowledge Base
  • Check icon
  • Check icon
Compliance Reporting

Compliance Reporting

Chris Schubert
Chris Schubert
October 28, 2021

Bulk Import vendors, tiers and labels

In this release, we have added the ability to bulk import vendors to your monitored vendors list. You can do this by entering a list of domains or uploading a CSV. Using the CSV import capability also allows you to assign tiers and labels to new or existing vendors. For help using this feature, check out the ‘Importing Vendors, Tiers, and Labels in UpGuard’ knowledge base article

Custom notifications based on risk severity

You will now be able to create custom notifications that will alert you when a risk of a particular severity is identified for your company or your vendors. These notifications will also be available for integration via the webhooks functionality.

Risk framework mapping for compliance reporting

We’ve added the ability for you to assess a vendor’s risk profile by mapping risks against recognized security frameworks such as ISO 27001 or NIST CSF, making it easy to identify and remediate potential gaps. Check out ‘What is Compliance Reporting within UpGuard Vendor Risk?’ for more information.

New questionnaire UI 

You’ll also find a new UI for questionnaires, which will make it easier for your vendors to view, identify outstanding questions and ultimately complete questionnaires. Check out ‘How to send a security questionnaire in UpGuard Vendor Risk” for more information.

Other improvements 

  • Ability to add custom logos to your shared profile.
  • Ability to exclude specific questionnaires from a vendor's questionnaire score.
  • More accurate remediation planner impact preview.
  • News webhooks now include ‘source’.
  • Various bug fixes.
Improvements to Shared Profiles

Improvements to Shared Profiles

Chris Schubert
Chris Schubert
October 11, 2021

Special thanks to our Beta customers who continue to provide valuable feedback as we continue to develop the UpGuard product to better serve your needs. 

Improved visibility of Questionnaire details within Shared Profiles

In this release we are shipping the first of many future improvements to the Shared Profiles functionality as we see this being something that can notably reduce the time it takes for you to consider, onboard, or review a vendor's security posture. First up we have improved the visibility of risks, scores and unanswered questions within Questionnaires in a vendor's shared profile.

Other improvements 

  • Improvements to our web scanning services (focus on cloud service subdomains)
  • Improvements to our domain scanning and verification
  • Ability for customers to see UpGuard CyberResearch services.
What's new in UpGuard | September 2021

What's new in UpGuard | September 2021

UpGuard Team
UpGuard Team
September 30, 2021

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    You’re now able to share a public link to your shared profile, making it easy to proactively share your security posture and related documentation with current and prospective customers.
  • Check icon
    We’ve added more granular control over custom notifications, giving you flexibility and control over which alerts you want to see for each vendor.
  • Check icon
  • Check icon
  • Check icon
Zapier integration

Zapier integration

Christian Kiely
Christian Kiely
September 29, 2021

Zapier integrations now available

We've added support for integrating with Zapier, an automation platform that connects to thousands of apps. If you have a Zapier account, you can now connect UpGuard to any other app that Zapier supports. For example, you could monitor new vendors in UpGuard when a Google Form is submitted, or get a phone call via Twilio when new data leaks are detected.

Check out our Zapier Integrations page for more workflow examples and read our guide to get started.

New page header design

In this release, we've revamped the design of our page headers to make it easier to find information relating to the page you're looking at.

Every page now has an information (i) icon that will show you a brief overview of what you can do, along with page-specific links to our Knowledge Base for further information.

When viewing pages related to vendors, the new page header also allows you to see vital information at a glance, such as vendor tiers and labels, and gives a consistent way to perform vendor-specific actions such as generating a vendor report.

We've also added breadcrumbs to help give context as to the location of the current page within our page hierarchy.

Help & Support menu

We've added a new Help & Support menu, which can always be found at the bottom left of your screen. You can use this menu for quick access to our Knowledge Base, to view our latest release notes, or to contact our sales and support teams.

Changes View export

When viewing the changes over time for your own organization, a subsidiary, or a vendor, you can now export this view to PDF. Simply click the Export button while viewing changes on the Risk Profile page.

Other fixes and improvements

  • Viewing "passed checks" in the Risk Profile and Questionnaire screens now includes checks passed in in-built questionnaires
  • Improve detection of wildcard subdomains
Trigger notifications and integrations based on tiers or labels

Trigger notifications and integrations based on tiers or labels

Christian Kiely
Christian Kiely
September 15, 2021

In this release, we've added more fine grained control over custom notifications in the platform. Custom notifications now support additional filtering based on vendor tiers, vendor labels, or domain labels.

Any number of these custom notifications can be created in an account, giving you the flexibility to set up alerts for vendors or domains you care most about, and avoid notification fatigue.

For example, you could now set up a notification to fire when any of your Tier 1 vendors (who you have also labelled as managing customer data) have a score drop of more than 10 in the last week. Such a notification type could be used for in-app notifications or emails for any member of your account, or even for a webhook integration.

Learn more about creating custom notifications here.

Other fixes and improvements

  • Avoid false positive detection of domain registrar protection risks
  • Remove some duplicate SSL risks when certain risks are already present
  • Improvements to initial scans for vendors and their subsidiaries
Public links for Shared Profiles

Public links for Shared Profiles

Christian Kiely
Christian Kiely
September 1, 2021

In this release, we've added the ability to share a public link to your Shared Profile. By embedding the public link on your website or email signature, anyone who follows the link will be able to sign up for a free UpGuard account to view your Shared Profile. If your Shared Profile is available by request only, you'll still be asked to approve access on an individual basis.

Publishing a public link to your Shared Profile is another way you can proactively share your security posture and related documentation with current and prospective customers, and means you can spend less time filling out manual assessments.  It can also help you close deals faster by skipping a typically slow part of the sales process. To see a great example of a public security page that includes an UpGuard Shared Profile, take a look at this one by Built Technologies.

To get started, publish a Shared Profile and read more about how to share a public link.

Other fixes and improvements

  • Remediation requests will now be automatically marked as complete when all risks are remediated
  • Significantly improved performance of Identity Breaches feature
  • Improvements to IP address attribution
  • Fixed issue where small nations would not appear on IP geolocation maps
What's new in UpGuard | August 2021

What's new in UpGuard | August 2021

Abi Tyas Tunggal
Abi Tyas Tunggal
August 31, 2021

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    You’re now able to compare the security posture of up to four vendors, side by side. This is a great tool for communicating the security posture of new vendors to stakeholders.
  • Check icon
    Customers have let us know how useful it would be to have more visibility into how fixing specific risks would impact their scores. With this in mind, we’ve created the remediation planner, adding a new score projection to the remediation module.
  • Check icon
    You now have a new way to organize your vendors, through the new Vendor Tiering. This allows you to organize your vendors based on the inherent risk they pose to your organization by breaking them up into tiers.
  • Check icon
  • Check icon
Remediation planner and vendor tiering

Remediation planner and vendor tiering

Christian Kiely
Christian Kiely
August 19, 2021

Calculate potential score changes with the remediation planner

Many customers have let us know that they would like more visibility into how fixing specific risks would impact their or their vendors' scores. Based on this feedback, we have added a new score projection into the remediation module.

Now, when creating a remediation request for your own organization, a subsidiary, or a monitored vendor, you can see an estimate of how the score will change if all requested risks are remediated.

Recipients of remediation requests will also be able to see the score projection, helping them to understand the impact that each risk has on their overall security posture.

To get started, create a new remediation request and read more about the remediation planner.

Vendor tiering

In this release, we've added a new way for you to organize your vendors. Vendor tiering allows you to classify your vendors based on the inherent risk they pose to your organization, and adjust the level of assessment you do on each vendor as a result.

For example, you may wish to classify a vendor that handles internal company communication as Tier 1, and a vendor that only stores publicly accessible information as Tier 3. When assessing each vendor, you could then elect to send detailed questionnaires to Tier 1 vendors, whilst assessing just based on web risks for Tier 3 vendors.

Once you have assigned tiers to your monitored vendors, you can easily filter the Vendors list by tier, and see a vendor's tier when viewing any vendor-specific page in the platform.

Learn more about how to use and configure vendor tiering here.

Include your subsidiaries in the BreachSight Executive Summary

If your organization has subsidiaries, you can now include them in the BreachSight Executive Summary, to get a full high level overview of your entire organization structure.

Overall risk breakdown, security rating distribution, highest vs lowest rated organizations, competitor analysis, risk category breakdowns, and geolocation risk reports are all supported.

To get started, navigate to the BreachSight Executive Summary and select the "Organization and subsidiaries" tab.

Other fixes and improvements

  • Remediation requests can now be saved as a draft before submitting
  • Recipients can be removed from an existing remediation request
  • A new scoring algorithm is now in use for all customer and vendor scores
  • Vendor Comparison is out of beta and now available to all customers
  • Fixes to how risk waivers are incorporated in various screens
Vendor comparison tool

Vendor comparison tool

Abi Tyas Tunggal
Abi Tyas Tunggal
August 3, 2021

You can now compare the security posture of up to four vendors side-by-side and dive into the details to see which vendor represents the lowest risk. Comparing vendors is a great way to communicate the security posture of new vendors to stakeholders prior to onboarding the vendor. It's also a great way to see how your current vendors stack up against potential alternatives that may offer improved security.

This feature is currently in beta. If you would like to join the beta prior to the official release, please reach out to us.

When you compare vendors, you'll be able to see their overall security rating, average rating across their industry, as well as their rating across each risk category. This gives you a great, high-level view of their security posture.

If you want to dive deeper, you can scroll down to see their overall security rating over the last month, quarter, and year, as well as a breakdown of the number and severity of risks across their risk profile.

Below this, you'll get a breakdown of the number and severity of risks across each risk category, as well as a summary of all the assets associated with each vendor and general information about the vendor.

And if you need to communicate the comparison to stakeholders, simply click Export in the top-right corner of your screen to generate a downloadable PDF report that outlines everything shown on the page.

Learn how to compare vendors and export a vendor comparison report.

Due date, reminder date, and ability to update the title of remediation requests

Based on your feedback, we've made two improvements to our remediation request feature this release:

  • Due date and reminder date: You can now set a due date and reminder date when creating remediation requests. Once set, UpGuard will automatically notify the vendor via email on the specified dates ensuring that your remediation requests are actioned.
  • Update title of remediation request: You can now update the title of a remediation request after it has been created.

Learn how to send an internal remediation request or a vendor remediation request.

Other fixes and improvements

  • You can now create a custom notification for when a vendor's score increases by X in Y days.
  • Improved the design of the modal you see when you first monitor a vendor
  • Added API support for vendors with no web presence
  • API activity now generates audit log events
  • Added support for retrieving a list of introduced and resolved risks from monitored vendors via the API
What's new in UpGuard | July 2021

What's new in UpGuard | July 2021

Abi Tyas Tunggal
Abi Tyas Tunggal
July 31, 2021

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    Sending a questionnaire to a vendor now prompts them to create a free Shared Profile, letting them proactively share their security rating, completed questionnaires, and supporting security documentation.
  • Check icon
    Building off of the newly improved questionnaire process for vendors, we’re now applying the same process to the customer-facing experience.
  • Check icon
    You’re now able to add and assess vendors that don’t have a website. This is great for situations where you need to assess a vendor who doesn’t have a web presence, but will be handling your sensitive information.
  • Check icon
    We’ve also added support for viewing a vendor and its subsidiaries in the vendor’s Risk Profile, letting you see all identified risks across the vendor and its subsidiaries.
  • Check icon
Support for subsidiaries in your vendor's Risk Profile

Support for subsidiaries in your vendor's Risk Profile

Abi Tyas Tunggal
Abi Tyas Tunggal
July 21, 2021

We've added support for viewing a vendor and its subsidiaries in its Risk Profile.

This view lets you see all the risks present across the vendor and its subsidiaries. Each of the identified risks has a severity, name, risk type, category, and a number of organizations impacted. By default, findings are sorted by severity, with critical severity items at the top.

You can drill down into each identified risk to see the impacted organizations and their associated domains. However, you will need to be monitoring the subsidiary as a vendor to request remediation or to waive the risk. You can do this by clicking Monitor vendor.

Additional SSL-based checks

We've added support for three new SSL-based checks:

  1. Untrusted SSL certificate (informational severity): The certificate presented by this domain was not issued by a trusted certificate authority and therefore cannot be verified by browsers.
  2. SSL certificate chain missing from server response (medium severity): There is an invalid or missing intermediate certificate. This can cause some browsers to break the padlock. An intermediate/chain certificate may need to be installed to link it to a trusted root certificate.
  3. SSL expiration period longer than 398 days (medium severity): Certificates issued on or after September 1, 2020 must not have a validity period greater than 398 days. The certificate will need to be reissued with a maximum validity of 397 days.

Other fixes and improvements

  • Creating vendors with no web presence is now available for all customers with vendors
  • Added notification for news articles in Incidents & News
  • Increased upload limit from 10MB to 50MB
  • Added highlight for news articles tagged as Advisory in Incidents & News
  • Improved handling of WAFs and CAPTCHA for our automated scanning engine
  • Fixed issue causing inactive subdomains to not be scanned in some situations
Vendor Shared Profiles

Vendor Shared Profiles

Abi Tyas Tunggal
Abi Tyas Tunggal
July 7, 2021

Now when you send a vendor a questionnaire through UpGuard, they'll be prompted to create a free Shared Profile that lets them proactively share their security rating, completed questionnaires, and other security documentation.

If a vendor chooses to create one, it will drastically cut down the time it takes for you and other UpGuard customers to assess them in the future. It also benefits the vendor as they'll spend less time filling out the same questionnaire while ensuring their customers have an accurate and up-to-date view of their security posture.

Vendors will be able to publish the following information on their Shared Profile:

  • Security ratings: Toggle the inclusion of their own and their industry average security rating. Learn more about security ratings here.
  • Security contact: Share contact information for the team or key employee who is responsible for security.
  • Company description: Help users quickly understand what the vendor does.
  • Security questionnaires: Proactively share complete security questionnaires to reduce time spent on answering similiar assessments.
  • Supporting documentation: Share security-related documentation or compliance certifications such as PCI DSS, SOC 2, ISO 27001, FedRAMP, etc.

Learn more about Vendor Shared Profiles.

Create vendor with no web presence

Create vendor with no web presence

Abi Tyas Tunggal
Abi Tyas Tunggal
July 6, 2021

You can now add and assess vendors with no web presence. Prior to this release, vendors needed a website to be added to UpGuard. Now you can add any vendor you like, even if they don't have a website.

This is great for situations where you need to assess an independent contractor who doesn't have a web presence but will handle your organization's sensitive information. Once you've added them as a vendor with no web presence, you'll be able to send them a questionnaire and assess them based on their responses. You'll also be able to add contacts, upload additional evidence, and perform a risk assessment inside UpGuard.

This feature is currently in closed beta. If you would like to beta test the feature, please contact us.

Learn how to create a vendor with no web presence.

Improvements to the questionnaire process for customers

In May, we rolled out an improved questionnaire experience for vendors that was designed to reduce the time it takes for you to get a complete and accurate questionnaire.

In this release, we're taking what we've learned from that process and applying it to the customer-facing experience. The new page replaces, improves, and streamlines our previous questionnaire details page.

You can now quickly see the progress of the questionnaire, view unanswered questions, and view any associated remediation requests you have created. Messages now appear in the top-right corner of your screen which makes it simple to respond to any vendor queries.

The page has been split into three separate tabs:

  1. Overview: Questionnaire metadata, progress, remediation requests, and unanswered questions.
  2. Documents: Any attached documents
  3. Timeline: The version history and timeline of the questionnaire

Other fixes and improvements

  • Any users that are invited to a questionnaire or remediation request will now appear in the timeline
  • Added support for retrieving all risks for an organization via the API
  • Added support for IP addresses in the risks diff API
  • Fixed issue causing domains parked at Gandi to be marked as active rather than inactive
  • Added questionnaire designed to determine exposure to the recent supply chain ransomware attack that impacted Kaseya VSA
  • Fixed issue causing questionnaire reminders to not be sent if one or more emails associated with the reminder bounced
  • Added modal to inform you when you've hit your vendor limit
  • Fixed issue causing security ratings and labels to not appear in domain view from a risk assessment
What's new in UpGuard | June 2021

What's new in UpGuard | June 2021

Abi Tyas Tunggal
Abi Tyas Tunggal
June 30, 2021

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    You’re now able to generate a risk report for your own organization, generating a great tool to use with non-technical audiences to drive decision-making, and speed up remediation.
  • Check icon
    The new and improved BreachSight Executive Summary has been crafted to make it as easy as possible for you to communicate your organization’s security posture to different stakeholders.
  • Check icon
    We’ve improved and simplified the management of your shared profile, letting you proactively share security-related information with the companies that need to assess you.
  • Check icon
  • Check icon
Shared Profile enhancements

Shared Profile enhancements

Abi Tyas Tunggal
Abi Tyas Tunggal
June 22, 2021

We've significantly improved and simplified the management of your Shared Profile.

For background, a Shared Profile lets you proactively share security-related information with companies that need to assess you. This typically includes completed security questionnaires and compliance certifications like PCI DSS, SOC 2, ISO 27001, or FedRAMP.

By completing your Shared Profile, you'll build trust with your business partners and show that your organization is taking cybersecurity seriously. You'll also spend less time filling in manual assessments while ensuring customers have an accurate and current view of your security posture.

When you go to manage your Shared Profile, you'll now see a checklist of what you need to do to complete it. As you fill out more of your profile, we'll automatically check off the associated line item in the checklist. This makes it easy to see what you have added and what you may be missing.

As part of these improvements, we've also improved the design of your Shared Profile, added support for adding a security contact and company description, and added the ability to toggle the inclusion of your security rating.

Learn how to publish your shared profile.

Remediation workflow enhancements

We're making it even easier to create and manage remediation requests. Creating an internal remediation request is now just two steps down from four. Likewise, vendor remediation requests are now a maximum of four steps down from six. Each request will take you less time to create freeing you up to focus on other activities.

After creating a request, you'll also notice that we've significantly improved the information hierarchy of the remediation request details page. The page has been split into two tabs:

  • Overview: Metadata about the request, detailed insights into the progress of the request, and the risks and assets that are under remediation
  • Timeline: The important events that have happened in the request

Messages now appear in the top right corner of your screen which makes it easy to respond to any queries recipients may have.

Learn how to send an internal remediation request or a vendor remediation request.

Other fixes and improvements

  • You can now export all your audit log events or export the last 30, 60, 90, 120, or 365 days
  • Added support for pulling your own, your vendors', and your subsidiaries' domains, IPs, and IP ranges, as well as associated information like the asset's security rating via the API
  • Domains, IP addresses, IP ranges, and vendors can now be labelled via the API
  • Improved design of login, signup, and password reset screens.
Risk Report

Risk Report

Abi Tyas Tunggal
Abi Tyas Tunggal
June 8, 2021

Our Vendor Risk Reports are one of our most used features. In fact, many of you have gone as far as to monitor yourself as a vendor so you can get access to a similar report on yourself!

The good news is you no longer need to do this. You can now generate a Risk Report that outlines the security posture of your organization. This report can be configured to include automated scanning results, competitor analysis, geolocation data, and underlying risk details.

It provides context about identified risks, remediation recommendations, and information about how each risk category contributes to your overall security rating.

Like our Vendor Risk Report, the language in the Risk Report is simple, easy to understand, and suitable for non-technical audiences which makes it a great tool to drive decision-making, speed up remediation, and highlight areas that could use additional resources.

Learn how to generate a risk report.

Improvements to BreachSight Executive Summary

The improved BreachSight Executive Summary is designed to make it even easier for you to communicate your security posture to stakeholders. The page and associated PDF export now outline the average security rating for your industry and provide a description and weighting for each risk category. This makes it simple for new users and internal stakeholders to understand what UpGuard measures, how you're tracking against your industry, and your strengths and weaknesses.

To see a breakdown of how each category contributes to your security rating, click How does each risk category attribute to this score? in the BreachSight overview section or click on the weighting in any of the risk categories.

We've also invested in improving the add competitors modal in the Competitor Analysis. The new design makes it easy to find and add competitors, just type in the name or URL then click Add competitor.

Learn more about the BreachSight Executive Summary and how to add a competitor.

Other fixes and improvements

  • Added support for pulling Typosquatting information via the API
  • Added Last Assessed to PDF export of Vendors
  • Added letter grade to XLS export of Vendors
  • Fixed issue causing Status and Risks detected columns to not match across the app and PDF export of Questionnaires
  • Improved error and alert feedback design
  • Email addresses that hard bounce are now automatically ignored in Identity Breaches
What's new in UpGuard | May 2021

What's new in UpGuard | May 2021

Abi Tyas Tunggal
Abi Tyas Tunggal
May 31, 2021

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    The new Incidents & News feed provides you with a searchable, chronological list of security updates that matter to you.
  • Check icon
    You now have the ability to create and manage custom roles, making it simple to assign team members the correct permissions within the UpGuard platform.
  • Check icon
  • Check icon
  • Check icon
Incidents & News feed

Incidents & News feed

Abi Tyas Tunggal
Abi Tyas Tunggal
May 26, 2021

Current UpGuard customers rely on Identity Breaches to identify and notify employees who have had their credentials exposed in a third-party data breach. But not every breach impacts your organization nor do we have access to the details of every breach. 

Prior to this release, these breaches that fall under this definition weren’t visible inside UpGuard nor were other important security-related events such as ransomware attacks or M&A activity. Even if these incidents don’t impact your organization, they provide important context that can feed into your risk assessment on a vendor. 

Incidents & News is designed to provide you with a searchable, chronological feed of publicly disclosed data breaches and other security-related information such as cyber attacks, ransomware, malware, acquisitions, spin-offs, mergers, and more. 

The feed is broken down into individual items that have a date, severity, type, impacted company, summary, and where applicable other related companies. At the top of Incidents & News, you’ll see three tabs that filter down results:

  1. Incidents: Think data breaches, cyber attacks, ransomware, malware, etc.
  2. News: Mergers, acquisitions, spin-offs, and other security-related news. 
  3. You and your vendors: Incidents and news related to you or your vendors. 

By default, results that are shown are limited to the last twelve months but you can adjust this timeframe as you like.

Incidents & News is currently in closed beta and will be rolled out to all customers soon. 

Learn more about Incidents & News here.

Improved questionnaire process for vendors

We’re rolling out an improved questionnaire experience for vendors to reduce the time it takes for you to get a complete and accurate questionnaire. The new page replaces, improves, and streamlines our previous questionnaire details page which vendors told us was confusing. 

Vendors can now quickly start answering the questionnaire, track their progress, discover unanswered questionnaires, and see any associated remediation requests. Messages sent to vendors will now appear in the top right corner of their screen which makes it simple to respond to your queries. 

The page has been split into three separate tabs: 

  1. Overview: Questionnaire metadata, progress, remediation requests, and unanswered questions.
  2. Documents: Any attached documents 
  3. Timeline: The version history and timeline of the questionnaire

Learn more about UpGuard makes it easy for vendors answer questionnaires.

Better remediation reporting

Managing and reporting on your remediation activity gets harder as you scale. That’s why we’re excited to be improving the reporting functionality for Remediation Requests

Remediation request tables now show the total number of active requests as well as a breakdown of the number of requests at each stage (in progress, awaiting review, completed, archived). 

This makes it simple to keep track of your overall progress and to dive deeper into the requests that need your attention.  We’ve also added support for exporting remediation requests to PDF or Excel, making it easy to share progress to internal stakeholders, auditors, and regulators. 

Learn how to export your internal or vendor remediation activity here.

Other fixes and improvements

  • Added Date Published field to Identity Breaches API
  • Added Last Assessed field to Vendors API
  • Improved Typosquatting results by adding support for commonly used prefixes and suffixes
  • Improved performance of Domains in tree view
  • There is now a task for when a questionnaire needs to be resent
Role-based access control and granular user permissions

Role-based access control and granular user permissions

Abi Tyas Tunggal
Abi Tyas Tunggal
May 12, 2021

You likely already restrict access to a portion of your UpGuard account to specific users. For example, not every user on your account should have administrative access. But what we’ve heard from you is that as you onboard more users, it gets harder and harder to manage, keep track of, and update the permissions of each user. 

That’s why we’re introducing role-based access control. Administrators can now create and manage custom roles, making it easy to ensure each teammate has the right permissions and that your organization is following the principle of least privilege. You can learn more about RBAC and the principle of least privilege on our blog

Managing roles is as simple as creating a role, configuring your desired permissions, and assigning it to users. If you need to update a role later, any changes will cascade down to the assigned users too. 

We also heard that you wanted more granular permissions. That’s why you can now decide whether a user has access to BreachSight, Vendor Risk, or CyberResearch. This is great for situations where one team manages your attack surface and another separate team manages your vendors. 

In addition to these improvements, you can now decide whether a user has read-only or full access to BreachSight’s or Vendor Risk’s core features, as well as whether a user has access to Identity Breaches and Typosquatting. 

Role-based access control is currently in closed beta and only available for certain plans. Please reach out to us if you would like to learn more. 

Learn how to create and manage roles.

Label vendor and subsidiary domains, IP addresses, and IP ranges plus support for labelling in tree-view

Another frequent bit of feedback we receive is that you want to be able to label your vendor’s or your subsidiary’s domains, IP addresses, and IP ranges so you can drill down into the specific assets that mean something to you. Now you can. 

Next time you’re on a vendor’s or subsidiary’s Domains or IP Addresses page, you’ll see an Add label on the far right of the table. Clicking Add label will allow you to add an existing or create a new label. For context, labels in UpGuard are broken down into vendor and assets labels. This means that domain and IP address labels are shared across BreachSight and Vendor Risk. 

As part of these improvements, we’ve refreshed the design of the labels modal, moved the management of labels to Settings under the Labels tab, and added support for labelling domains in tree view across BreachSight and Vendor Risk. 

These improvements make it easier than ever to track your and your vendors’ assets and to keep your team’s labels under control. 

Learn how to label your vendor domains, IP addresses, and IP ranges and your subsidiary’s domains, IP addresses and IP ranges as well as how to manage your labels

Trigger webhook calls from audit log events

Administrators can now push Audit Log events into other platforms using our Integrations feature. For background, Integrations uses webhooks to notify your other applications when an event happens in your account. Examples of these events include when an identity breach or data leak is detected, the score of a watched vendor drops below a threshold, and now any Audit Log event of your choosing.

Learn how to integrate UpGuard with other services.

Other fixes and improvements

  • Added an exception for Kubernetes clusters that sit behind AWS Elastic Load Balancing. This means that scores won’t change unexpectedly when Kubernetes stops and starts.
  • Fixed bug causing Excel report generation to break for large exports
  • Vulnerabilities that have been waived will no longer produce notifications
  • Improved design of domain side panel to indicate when a risk is coming from www or the root domain
What's new in UpGuard | April 2021

What's new in UpGuard | April 2021

Abi Tyas Tunggal
Abi Tyas Tunggal
April 30, 2021

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    We’ve introduced a convenient new Home screen to replace the notifications page.
  • Check icon
    You can now share completed risk assessments and additional evidence with your related organisations who also have an UpGuard account.
  • Check icon
    You now have the ability to discover and drill down into the geographies that you and your vendors are operating in.
  • Check icon
  • Check icon
Geolocation Risk

Geolocation Risk

Abi Tyas Tunggal
Abi Tyas Tunggal
April 29, 2021

Geolocation Risk lets you discover and drill down into the geographies that your infrastructure and your vendors’ infrastructure is operating in. It’s similar to Fourth Parties but focused on geographies instead of fourth-parties. 

Monitoring Geolocation Risk is a great way to understand whether data is being hosted in different countries and what data and privacy laws may be in place to protect it.

It’s also a great way to keep track of what countries your data may be stored in. This is particularly important for organizations in regulated industries like financial services or healthcare who may have regulatory requirements that dictate what countries data can be stored in. 

Geolocation Risk information is available in the BreachSight Executive Summary, Vendor Risk Executive Summary, Vendor Summary, and the Vendor Risk Report.

Geolocation Risk is currently in beta, if you would like us to enable it on your account please contact us.

Other fixes and improvements

  • Changed names of Concentration Risk and Supply Chain to Fourth Parties to improve consistency across the product and to better reflect what the feature does
  • Improved the subject line of invitation emails making it even easier for new users to get started
  • Removed the register a domain button from Typosquatting 
  • Owned IP ranges with no active IP addresses are now shown in your or your vendors’ IP Addresses
  • IP addresses that are part of an owned IP range and are discovered through a DNS record will now be labelled as Owned and DNS rather than only one
Home

Home

Abi Tyas Tunggal
Abi Tyas Tunggal
April 16, 2021

Keeping on top of what has happened in your UpGuard account is one of the most important things you can do to improve your security posture. That’s why we’ve created Home. Home is a replacement for the existing Notifications screen. It highlights new events and actions that have occurred since you last logged in. 

Events can include score changes for your websites or your vendors, typosquatting updates, vulnerability notifications, and more. For UpGuard administrators, it can also include audit log events. 

Home is split into two tabs, All activity and My tasks

All activity is broken down into cards, with each card linking directly to the relevant section in the app, making it even easier to dive deeper into the events that matter most to you. Each card also has a list of breadcrumbs to help you passively learn the structure of the platform over time. 

My tasks gives you an up-to-date list of the actions you need to take next inside UpGuard. This can include things like approving risk waivers, replying to messages, reviewing submitted security questionnaires, and actioning remediation requests. Tasks will stay active until you complete or dismiss them. 

Home is currently in beta, if you would like us to enable it on your account please contact support@upguard.com 

Learn how to manage your Home screen

Improved support for CyberResearch tiers

Customers who have purchased more than one tier of our third-party risk management services can now pick which service level they want the vendor assessed to. We’ve also added support for defining the importance of the vendor to your organization. 

As part of this work, we’ve also improved the granularity for the statuses shown in Managed Vendors to make it even easier to see where your request is up to. This means that rather than seeing that a request is in progress, you’ll be able to where in the process your request is up to such as gathering evidence, performing risk assessment, remediating risks, etc. 

If you are an existing customer who wants to learn more about our third-party risk management services, please contact support@upguard.com 

Learn more about Managed Vendors here

Securely share vendor assets with related entities

Gathering evidence and performing risk assessments are time-intensive and expensive for you and your vendors. That’s why we’re introducing a way to securely share your completed security questionnaires, additional evidence, and risk assessments with those related entities who also have an UpGuard account. 

If your organization is part of a multi-org account, you and your related entities can now proactively share vendor assets. Sharing assets is a great way to eliminate the email back and forth that is usually associated with onboarding a new vendor, allowing your organization to assess more vendors in less time by leveraging the work done by related entities. 

To understand how Shared Assets works, let’s go through an example. 

Imagine you need to assess a potential vendor for your marketing team. You log into UpGuard, monitor the vendor, and click on Shared Assets. You see that a related entity has shared a completed questionnaire and a risk assessment. 

Rather than doing your own assessment, you request access to your related entity’s assets, read through them, and determine the vendor is not adequately secure. You respond to your marketing team’s query, outlining why the potential vendor is not a good fit based on your related entity’s assessment. 

And just as you can control access to your Shared Profile, you can control who has access to your Shared Assets. Related entities won’t get access to your assets unless you provide to them. 

Learn how to use Shared Assets here

Other fixes and improvements

  • Removed the use of no-reply from our transactional email addresses which should improve deliverability of our emails
  • Improved design of the vendor summary to display all available assets
  • Third-party risk management services customers can now create, edit, and publish their own risk assessment
  • Improved the performance of the changes view for you and your vendors
Speed is a feature

Speed is a feature

Abi Tyas Tunggal
Abi Tyas Tunggal
March 31, 2021

We’ve made significant performance improvements to key pages like the Risk Profile and Vendor Summary. When you next visit one of these pages you’ll notice they load significantly quicker, particularly for large vendors with thousands of domains. 

This means less time spent waiting for things to load and more time diving into the details that matter to you. 

Other fixes and improvements 

  • Added support for document storage in India
What's new in UpGuard | March 2021

What's new in UpGuard | March 2021

Abi Tyas Tunggal
Abi Tyas Tunggal
March 31, 2021

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    You can now build your own custom security questionnaires, right inside the UpGuard platform.
  • Check icon
    We’ve also introduced a new option to schedule recurring reports on a weekly, monthly, quarterly, or yearly cadence.
  • Check icon
    ‘You now have the ability to export inactive domains owned by you or your vendors. We've refreshed the design of the "Domains" pdf export to support this.
  • Check icon
  • Check icon
Export inactive domains

Export inactive domains

Abi Tyas Tunggal
Abi Tyas Tunggal
March 16, 2021

You can now export your own and your vendors’ inactive domains. To support this new feature, we’ve refreshed the design of the Domains PDF exports. The new design makes it super simple to see which domains are active and which are inactive, as well as when domains were last scanned. 

If you have any feedback on this or any other feature, don’t hesitate to reach out to us.

Learn how to export your domains or a vendor’s domains.

Export audit log

We’re giving you more control over where you can use audit log data by allowing UpGuard administrators to export to Excel. This makes it simple to ingest events into other platforms or to track employee usage of the UpGuard platform. 

Learn how to export your audit log

Other fixes and improvements

  • Fixed issue where vendors were still being scored when they had no active domains
  • Fixed issue causing vendors to have a questionnaire score when they had no completed questionnaires
  • Added optional expiration date for additional evidence
  • Added a verified vulnerability check for the new Microsoft Exchange vulnerability (CVE-2021-26855)
  • Added pagination on questionnaire page
Build your own security questionnaires

Build your own security questionnaires

Abi Tyas Tunggal
Abi Tyas Tunggal
March 4, 2021

You can now build your own security questionnaires inside the UpGuard platform. Start from scratch, or use one of our growing library of questionnaires as a starting point and adjust it to cater for your specific needs.

Creating a custom questionnaire is easy. We provide you with a range of question types designed to cater for different circumstances. Think single, multi-select and text-based answers, as well as file uploads to capture additional evidence and sections to group related questions together. 

Like our in-built questionnaires, custom questionnaires can be configured to automatically identify risks based on one or more answers to a set of questions. When a risk is identified, you can also choose whether or not to ask respondents for compensating control information.

In addition to automatic risk identification, our custom questionnaire builder has powerful conditional logic which lets you ask the right questions and skip the rest. Asking only what is required means more thoughtful responses and higher completion rates. 

All in all, your custom questionnaires can be as powerful as you want them to be.

While we iron out the last kinks, this is a beta feature. You can get it enabled by reaching out to our support team. If you have any feedback on this or any other feature, don’t hesitate to reach out to us.

Learn how to use our questionnaire builder.

Recurring reports

We have added the option to schedule recurring reports.

Exporting data in UpGuard has so far required you to log in, navigate to the desired page, and then click the export button each time you want fresh data. This can become frustrating if you want to export the same data on a recurring schedule or if you need to share the data with stakeholders who don’t use the UpGuard platform.

This is why we built a new way to export reports that makes it super simple and fast to create recurring reports on a weekly, monthly, quarterly, or yearly cadence. The new export modal also lets you add any email address, so you can easily share recurring reports with colleagues or stakeholders who aren’t UpGuard users.

Recurring reports is currently a beta feature. If you would like to be a beta tester, please reach out to our support team.

Learn more about recurring reports.

Other fixes and improvements

  • You can now remove the original recipient and change the sender when resending questionnaires
  • Added support for multiple recipients when creating a questionnaire or remediation request
  • Fixed issue where /vendors and /vendor endpoints were returning different scores
  • Fixed issue where vendors using Amazon CloudFront would be penalized
  • Fixed issue causing an open port 7654 on Azure Apps environments to be raised as a risk
  • Domains parked at NetRegistry will now be classified as inactive
  • Fixed issue where custom domains were not shown when they failed their first scan
  • Vulnerability notifications now lead to a filtered version of the vulnerabilities page that is specific to the notification
  • Fixed issue causing vendors with no active domains to not load
What's new in UpGuard | February 2021

What's new in UpGuard | February 2021

Abi Tyas Tunggal
Abi Tyas Tunggal
February 28, 2021

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    You’re now able to export your list of monitored typosquatting domains, as well as any registered, unregistered, and ignored permutations of a specific domain.
  • Check icon
    We’ve also introduced filters for typosquatting. When you export, you can apply any active filters.
  • Check icon
    ‘Vendor Risk Waivers’ is a small but meaningful improvement that lets you waive vendor risks that have been identified through automated scanning, questionnaires, and additional evidence.
  • Check icon
  • Check icon
Export typosquatting

Export typosquatting

Abi Tyas Tunggal
Abi Tyas Tunggal
February 23, 2021

You can now export your list of monitored typosquatting domains, as well as the registered, unregistered, and ignored permutations of a specific domain to PDF or Excel. 

Once exported, you can use the permutations in workflows outside the UpGuard platform. This may include adding registered permutations to a default block list for your email gateway, handing them over to your legal team to do takedown outreach, or feeding them into a separate platform. 

In addition to these improvements, we’re also introducing filtering for typosquatting. You can filter down the number of typosquatting permutations by selecting a specific type. For example, you may want to identify all the possible typosquatting permutations that are homoglyph substitutions. And when you go to export, you’ll have the option to apply any active filters.

Learn how to export from typosquatting or filter typosquatting permutations results.

Other fixes and improvements

  • You can now retrieve files uploaded to a vendor’s documents, questionnaires, or additional evidence via our API
  • Active vendor risk waivers now appear in the Vendor Report as well as Risk Profile, Risk Assessment, and Portfolio Risk Profile exports
  • Compensating control information for questionnaire risks is now visible on the questionnaire details page
  • Waiving a risk from specific questionnaire now only selects the risk from the corresponding questionnaire
  • Fixed bug where compensating control information was being displayed for all questionnaire rather than only the questionnaires that the risk was waived from
  • Fixed issue where Vendor Summary prompted Third-Party Risk Management Services customers to create or edit a questionnaire when one didn’t exist or was in draft
  • Standardized time format in UpGuard API to 6 decimal places
  • Improved text in vendor risk report to support situations where details are not exported
  • Fixed issue where inactive domains were not showing if there were no associated scanning results
  • Fixed issue where parent domain wasn’t showing in tree view when all subdomains were inactive
Waive vendor risks

Waive vendor risks

Abi Tyas Tunggal
Abi Tyas Tunggal
February 8, 2021

We’ve made a small but meaningful improvement to how you manage vendor risks inside UpGuard. Vendor Risk Waivers lets you waive vendor risks identified through automated scanning, questionnaires, and additional evidence.  

This feature is particularly useful for risks identified through questionnaires. For those that are not aware, when you send a questionnaire through the UpGuard platform we automatically identify risks based on the answers provided by your vendor and ask for compensating control information. 

In the past, you couldn’t use this compensating control information to waive the risk even if you were happy with the information provided. Now you can waive risks and remove them from the vendor’s risk profile if the vendor has adequate compensating controls. 

Vendor Risk Waivers is currently in closed beta. If you would like access, please contact UpGuard support.

Learn how to waive a vendor risk.

Detect vendor data leaks

We’re introducing a new managed service called Vendor Data Leaks. As you may be aware, our team of analysts and proprietary data leak detection engine give us an unparalleled ability to find leaked credentials and exposed data before it gets into the wrong hands. 

Vendor Data Leaks extends these capabilities by monitoring for data leaks at your vendors so you know if they’ve exposed data before it impacts your organization. When our data leak detection engine finds an exposure at your vendor, our analysts review the data, assign a severity, and speak to you to get an appropriate vendor contact. 

Once we have a contact, we’ll work directly with the vendor to remediate the issue and notify you when the exposure has been resolved. 

Vendor Data Leaks is currently in closed beta. If you would like more information, please contact UpGuard support

Learn more about vendor data leaks

Other fixes and improvements

  • You can now use the category filter on the risk profile in exports
  • Improved design of export modal
Enhanced support for IP addresses

Enhanced support for IP addresses

Abi Tyas Tunggal
Abi Tyas Tunggal
January 19, 2021

Our IP Addresses feature helps you manage your cyber risk by providing an IP-centric view of your organization and its vendors’ attack surfaces. With IP Addresses, UpGuard automatically finds the IP addresses and ranges associated with the DNS records of an organization’s domains, as well as any IPs or ranges that are added manually. In the coming weeks, we’ll further enhance this feature by attributing ownership of IP ranges based on WHOIS data.

If an IP address is associated with at least one domain, UpGuard has already been scanning it during our domain-based analysis of security issues, misconfigurations, and vulnerabilities. As you know, this analysis then feeds into our scoring algorithm which gives the domain a security rating.

As part of this release, we now scan IP addresses that don’t have a DNS record for open ports and other security issues and give those IPs a security rating. Just as you can drill into the underlying issues associated with a scored domain, we surface the underlying security issues associated with these IP addresses, and what we recommend you do to improve your security posture. 

The other major change we’ve made is support for IP ranges. When you add an IP range, UpGuard will periodically scan through the range to discover any new assets. This is an excellent way to reduce the risks associated with shadow IT services as we’ll uncover potentially unknown assets during these scans.

Clicking into an individual IP address will show you the owner, associate IP range, country, autonomous system (AS), autonomous system number (ASN), and any associated domains or risks. Likewise, by clicking into an IP range, you’ll see the owner, country, and number of IPs in the range, as well as any detected IP addresses or domains. Both views can be filtered by services, IP owner, ASN, or IP country.

IP Addresses is currently a beta feature. If you or your team would like to test IP Addresses prior to its official release, please contact us at support@upguard.com.

Learn how to monitor your IP addresses and ranges and see how we can help you monitor your vendor’s IP-based assets here.

Templates for remediation requests, risk assessments, questionnaires, and identity breach notifications

Templates lets administrators set up templates for remediation requests, risk assessments, questionnaires, and identity breach notifications emails sent from the UpGuard platform. 

Using templates is a great way to save time, ensure consistency and uniformity across teams and processes, by reducing mistakes and errors caused by copying and pasting text across documents. 

Templates are available for customers on the Professional bundle and up or as an add-on on lower plans.

Learn how to set up templates

Other fixes and improvements:

  • Changed Attestations to Answer Questionnaires in the sidebar to make it easier for new users to know where they need to go to respond to questionnaires
December 2020
Let UpGuard manage your third-party vendor risk

Let UpGuard manage your third-party vendor risk

Abi Tyas Tunggal
Abi Tyas Tunggal
December 15, 2020

Managed Vendors helps you manage your third-party vendor risk. UpGuard analysts assess your vendors and present their findings in a comprehensive report based on the analysis of security questionnaires, compensating control information, public security documentation, and security ratings data. 

Beta users can now see which vendors are managed by UpGuard, request an assessment, and get notified when analysts publish a new assessment from inside the platform. 

Managed Vendors is currently a beta feature. If you are a current Managed Vendors customer or want to learn more about how UpGuard can help you manage your third-party vendor risk, please contact us at support@upguard.com

Learn more about managed vendors and how to use it.

Other fixes and improvements:

  • Added support for filtering by individual CVE on the subsidiary risk profile
  • Standardized and increased character limits on in-app correspondence
  • Risk rating icons and alert colors now match
  • Fixed issue causing questionnaires to become unavailable in Vendor Risk Report when new questionnaire was in draft
What's new in UpGuard | November 2020

What's new in UpGuard | November 2020

Abi Tyas Tunggal
Abi Tyas Tunggal
November 30, 2020

Learn about new features, changes, and improvements to UpGuard this month:

  • Check icon
    We’re adding support for subsidiaries as a beta feature. This makes it easy to identify common misconfigurations and security issues shared across your organization and its subsidiaries.
  • Check icon
    Filters on your portfolio Risk Profile now dynamically apply.
  • Check icon
    The buttons and fields throughout the platform now all look, feel and behave in the same way.
  • Check icon
  • Check icon
Improved input fields, buttons styles, and hover states

Improved input fields, buttons styles, and hover states

Abi Tyas Tunggal
Abi Tyas Tunggal
November 25, 2020

We’ve updated input fields and buttons styles throughout the platform to ensure consistency. Whether you’re searching for findings on your risk profile, looking for a specific vendor, or filtering vulnerabilities, input fields and buttons should now look, feel, and behave in the same way. This makes it easier for new users to get up to speed quickly and for existing users to learn how to use new features as we release them.

In addition to these changes, we’ve made accessibility improvements to our icons by increasing their clickable area and adding hover states. These improvements mean the platform is easier to use for users with smaller screens or poor eyesight.

Other fixes and improvements:

  • Fixed issue where the character limit was longer when creating a remediation request than when editing it
  • Fixed issue causing runtime error on large exports
  • Domains parked with register.com will now appear as inactive
  • Added exception from the non-httpOnly cookie risk for Imperva and Barracuda WAF cookies
  • Fixed issue causing remediation request email to not display company name when there are multiple users on the request
  • Fixed issue causing remediation request timeline to not display the original requester’s name when multiple users are added to the request
Monitor your subsidiaries

Monitor your subsidiaries

Abi Tyas Tunggal
Abi Tyas Tunggal
November 10, 2020

We’re adding support for subsidiaries as a beta feature. This makes it easy to identify common misconfigurations and security issues shared across your organization and its subsidiaries. You can see a tree structure of your organization, click into individual subsidiaries, and dive deep into their risk profile, domains & IPs, vulnerabilities, and even their own subsidiaries. You can also request remediation of identified risks from your subsidiaries.

Examples of things you can do:

  • Find security issues shared across your organization and its subsidiaries
  • Identify subsidiaries with poor security postures
  • Understand your complete security profile from the parent company down to the individual subsidiary.

We hope you’ll find a lot of use for subsidiaries and we think this will make UpGuard work better for many different types of organizations.

If you would like to beta test the subsidiaries feature, please contact us via support@upguard.com or by using the live chat in-app which can be found in the bottom right corner of your screen. Once enabled, subsidiaries will show up under Subsidiaries under the BreachSight section of the sidebar. Click on it to view your subsidiaries and explore the additional functionality that has been released.

How to use subsidiaries to monitor your organization’s attack surface

Dynamic filtering on portfolio risk profile

When you select other filters that impact the list of findings available on your Portfolio Risk Profile, the findings filter now dynamically adjusts to only show the corresponding identified risks. For example, if you choose the risk category Website Risks, the findings will only show those that correspond to that category.

How to filter the portfolio risk profile

Other fixes and improvements

  • Fixed issue causing Excel questionnaire exports to not match the UI
  • Fixed issue where PDF exports would cut off questionnaire answers if they were too long
Create notes inside the UpGuard platform

Create notes inside the UpGuard platform

Abi Tyas Tunggal
Abi Tyas Tunggal
October 28, 2020

You can now leave generic notes about your vendors inside the UpGuard platform without having to upload a file. This means you can drop in any information you need without having to create and upload a separate document.

This could be information about what project the vendor relates to, why the vendor has been engaged, and any other important information like contract dates or SLAs that don’t justify creating and uploading an entire document.

We hope this feature means you can start storing more of your vendor-related information in UpGuard and we can start acting as your central vendor management repository.

Learn how to create notes

Better vendor filtering: NOT operator and unlabelled support

You can now filter your vendors to show any that do not match a particular label (or labels). For example, you can now see all vendors who are NOT labeled with “Customer Data”.

We’ve also added a special label called “unlabelled” which can be used to find all vendors who do not have a label applied or who do have labels if you use the NOT operator.

Learn how to filter your vendors

Other fixes and improvements

  • Improved the design of the top of vendor summary pages
  • Fixed a UI issue that caused long vendor names to push the close button off-screen in the vendors section in the sidebar
  • Improved support for domains parked with GoDaddy, these domains will now appear as inactive
  • Fixed bug causing data leaks reporting to display duplicate keywords under some circumstances
  • Made changes to remediation requests so that risks will update when domains become active or inactive
  • Improved error message for situations where new users try to claim an expired invitation
  • Questionnaires and other vendors assets are now stored when you stop monitoring a vendor and will be there if you start monitoring the vendor again
  • Fixed UI issue causing risk assessment notifications to be hard to dismiss
  • Individual vulnerability notifications can now be dismissed
Scoring algorithm improvements

Scoring algorithm improvements

Abi Tyas Tunggal
Abi Tyas Tunggal
October 12, 2020

We have made significant improvements to our scoring algorithm. From time to time, we adjust our scoring algorithm based on new information gleaned from industry trends, research, and customer feedback. It is important to note that our new scoring algorithm may have reduced the security rating of you and your vendors.

Here’s what improvements were made and why:

  • Lower scores are weighted more heavily: Ensures poor security on an individual domain or IP address is not “averaged out” by otherwise good security across an organization’s infrastructure. An organization is only as secure as its weakest link.
  • Greater emphasis on network security issues: Open ports, while not dangerous on their own, often expose vulnerable services. A great example of this risk is WannaCry, a ransomware cryptoworm that infected more than 300,000 computers by exploiting a zero-day in old versions of a network protocol called SMB. WannaCry was so successful because the SMB port is open by default on many legacy Windows machines.

As part of these improvements, we have combined our brand and reputation risk categories. Brand and reputation are two sides of the same coin and we believe it makes more sense for the underlying risks to fall under the same category.

Please read this article for more information about how you should respond.

Improved design and functionality for vendor reports

We’ve improved the design and functionality of our vendor report.

Based on your feedback, we have reduced the amount of UpGuard branding on the cover page of the report and if you have custom branding enabled, you’ll see reports now include your logo on the cover page.

In addition to these design changes, you can now generate vendor reports from any instant report vendors. These improvements are designed to make the report more accessible and easier to understand for recipients whether they’re internal stakeholders or vendors.

Learn how to generate a vendor report.

Other fixes and improvements

  • Changed font from Lato to Inter, a more modern typeface that is consistent with the new UpGuard website
  • Fixed issue where switching between category and overall views on risk profile caused waivers and custom domains checkbox to become unticked
Better emails: Support for company branding and better calls to action

Better emails: Support for company branding and better calls to action

Abi Tyas Tunggal
Abi Tyas Tunggal
October 1, 2020

We made significant improvements to our emails. The most notable change is that you can now add company branding. Once enabled, your logo will appear at the top of any email sent by us to vendors or internal stakeholders. This makes it easier for recipients to understand who is making the request and will result in less back-and-forth between you and your vendors.

As part of these changes, we’ve also refreshed the design of our emails to make it easier for recipients to know what action they need to take next. This change means faster responses, better engagement, and less time spent chasing up requests.

Learn how to enable co-branding.

Remediation workflow for vulnerabilities

You can now request remediation of verified and unverified vulnerabilities in first and third-party remediation workflows. This is part of our ongoing work to improve our vulnerability management capabilities.

Learn how to request remediation from a vendor.

Export individual identity breaches

You can now export individual identity breaches as a PDF report or to Excel. The PDF report is a great way to communicate the extent of an identity breach to your internal stakeholders without having to invite them to UpGuard.

Learn how to export an identity breach.

Other fixes and improvements

  • Improved in-product references to relevant knowledge base articles
  • The Vendor Risk executive summary now shows the number of vendors your organization monitors over time
  • You can now label your inactive domains and labels will remain when domains transition from inactive to active or active to inactive
  • Data leaks reporting now shows all keywords including those with no results
Improved vulnerability detection and management

Improved vulnerability detection and management

Abi Tyas Tunggal
Abi Tyas Tunggal
September 16, 2020

We’ve expanded our vulnerability detection and management capabilities by differentiating between verified and unverified vulnerabilities.

As UpGuard scans from outside companies’ networks, there are some vulnerabilities we can confirm (verified vulnerabilities), but others we only know may exist (unverified vulnerabilities). When verified vulnerabilities are detected, you’ll also be able to see them on your, and your vendors’, risk profiles and use them in our remediation and risk waiver workflows.

In addition, you now can ignore unverified vulnerabilities to remove them from the vulnerabilities list. This is different from a risk waiver because you are signaling that the risk doesn’t exist, as opposed to a risk waiver where you are accepting the risk.

To learn how to use our vulnerabilities feature, see our articles on UpGuard BreachSight vulnerabilities and UpGuard Vendor Risk vulnerabilities.

Audit log

Administrators can now see an audit log of important events in the UpGuard platform and who actioned them.

This will allow you to see, for example, who has logged in, who has had their permissions changed, whether an UpGuard employee has viewed your account, when a questionnaire has been sent, when a risk assessment has been published, and much, much more.

Learn about the events tracked through our audit log.

Six new questionnaires

As part of our continued investment in the platform, we’re releasing six new questionnaires:

  • COBIT 5 Security Standard Questionnaire: Assesses compliance against the Control Objectives for Information and Related Technologies Framework created by ISACA.
  • ISA 62443-2-1:2009 Security Standard Questionnaire: Assesses compliance against the ISA 62443-2-1:2009 standard for industrial automation and control systems.
  • ISA 62443-3-3:2013 Security Standard Questionnaire: Assesses compliance against technical control system requirements associated with the seven foundational requirements (FRs) described in IEC 62443-1-1.
  • GDPR Security Standard Questionnaire: Assesses compliance against the personal information disclosure requirements outlined in the European Union's General Data Protection Regulation (GPDR).
  • CIS Controls 7.1 Security Standard Questionnaire: Assesses compliance against the best practice guidelines for cybersecurity outlined in 20 CIS Controls.
  • NIST SP 800-53 Rev. 4 Security Standard Questionnaire: Assesses compliance against the security and privacy controls required for all U.S. federal information systems except those related to national security.

Other fixes and improvements

  • We’ve broken up Documents & Contacts into two separate pages (Documents and Contacts)
  • Documents now includes all file-based evidence for a vendor and is categorized by source: general documents, additional evidence, or questionnaire responses
  • Documents added as additional evidence are now available in the vendor’s Documents & Contacts
  • Prioritized typosquatting results to first show homogylphs with only one substitute character and where characters look similar to the original domain.
  • UpGuard analysts can now redact a sensitive URL on a data leaks finding
  • Improved the readability of cookie-based automated scanning results
  • Added parked domain detection for registrar CSC
  • Fixed an issue where users on Chromebooks couldn’t upload files
New vendor risk report

New vendor risk report

Abi Tyas Tunggal
Abi Tyas Tunggal
September 2, 2020

We added a new downloadable report to UpGuard. Now you can generate a report that outlines the security posture of any monitored vendor and share it. Reports can be configured to include automated scanning, questionnaires, and additional evidence, or be based on completed risk assessments. It’s also a nice way to introduce UpGuard to your colleagues, board members, or vendors without having to invite them to the platform.

We also added context around each identified risk and remediation recommendations that can be used to drive decision-making, speed up vendor due diligence, and drive remediation efforts.

Learn how to generate a vendor report

Additional evidence

At the start of August, we released additional evidence to select customers. Since then we have improved the functionality. We’re excited about this as it enables many of you to capture risks identified in documents that your vendors have proactively published to their websites. Starting today, additional evidence is available for all UpGuard VendorRisk users and we’ll keep improving it over time.

Learn how to capture additional evidence

Other fixes and improvements

  • Reports can now be archived and deleted
  • Added search to reports page
  • Improved search and filter functionality to support renamed vendors
  • Increased max vendor name length from 50 characters to 150 characters
  • Fixed bug when extracting risks from completed questionnaires
  • Several fixes to read-only users including removing their ability to dismiss notifications
Additional evidence

Additional evidence

Abi Tyas Tunggal
Abi Tyas Tunggal
August 6, 2020

We've released a new feature called additional evidence in closed beta that will roll out to the entire user base in two weeks. If you would like access now, please get in touch.

While we recommend you use UpGuard's security questionnaires and automated scanning tools to assess your vendors, in some situations you may need to capture additional evidence about a vendor.

For example, you may send a questionnaire to a large SaaS vendor only to be directed to a page on their website that hosts complete security questionnaires, audit reports, and certificates. These documents provide insights into the vendor's security posture and attack surface.

Additional evidence allows you to capture and store this security or compliance-related documentation and associate any identified risks. Once identified, you can choose to include these risks in the vendor's risk profile, and cite them as part of a risk assessment.

Learn how to capture additional evidence here.

Other improvements and fixes

  • Data leaks customers can now see search results from the dark web and Google searches
Improved WordPress information

Improved WordPress information

Abi Tyas Tunggal
Abi Tyas Tunggal
July 21, 2020

A common misconfiguration for WordPress sites is to expose the names of users. We now display the actual user list in the UpGuard platform when this risk is detected.

Additionally, we now explicitly check for old versions of WordPress that have known vulnerabilities that can be exploited.

Other improvements and fixes

  • You can now retrieve the current set of risks from a vendor via our API.
  • Risks are now prepopulated when you request remediation through the Portfolio Risk Profile.
  • Questionnaire due dates can now be changed. If you want to change a questionnaire's due date, click on the questionnaire, click the "actions" button, and then click "Set due date".
  • You can now export to PDF and Excel in more places.
  • When you have filters active and export data to PDF, the PDF that is generated will now display the filters you used.
  • The check for certificates that are about to expire now triggers when a certificate is within 20 days of expiring, rather than 30. This change is designed to reduce the number of false positives as some popular certificates (like LetsEncrypt) can be set to automatically renew when there are less than 30 days to expiry.
Improved webhook integrations

Improved webhook integrations

Abi Tyas Tunggal
Abi Tyas Tunggal
July 7, 2020

In addition to our API, UpGuard uses webhooks to notify other applications when an event happens in your account. This could be when an identity breach or data leak is detected, the security rating of a vendor drops below a threshold, or when a user requests access to your Shared Profile.

Our improved webhook integration allows you to customize the payload you send to the webhook. This means you can push data into our systems without having to support our default payload format.

If you’re an UpGuard account admin, you can set up new and configure existing webhook integrations from Account Settings -> Integrations, or by clicking here.

If you need a hand setting up your first integration, please read our article on how to integrate UpGuard with other services.

Vulnerabilities are now available through our API

The UpGuard API now lets you return the list of vulnerabilities detected for your organization and your vendors. Click here for details.

Other improvements and fixes

  • When you filter your vendor portfolio based on labels you can now choose whether you want to see vendors that match any of the labels applied or restrict the results to only vendors who have all labels applied.
  • You can now export from the "Vendors" page in Excel and PDF formats
Data Leaks Reporting

Data Leaks Reporting

Abi Tyas Tunggal
Abi Tyas Tunggal
June 23, 2020

We're releasing a new feature for our Data Leaks customers called Data Leaks Reporting. It provides detailed analytics on the keywords you have provided us.

You'll be able to see which research results were classified as safe (by our algorithms or analysts), and which resulted in findings.

Please note: This feature will be rolled out over the coming week. In the meantime, be sure to check out our knowledge base article on Data Leaks Reporting.

If you are a current UpGuard customer and are interested in the Data Leaks module. Please contact your Technical Account Manager or click the chat widget in the lower right corner of your screen.

UpGuard Vendor Risk

We've made some enhancements to the export functionality of Portfolio Risk Profile. You'll now notice that when you export data it will include the details of the specific risks identified at each vendor.

Read our knowledge base article on how to export from the Portfolio Risk Profile for more information.

UpGuard BreachSight

We've also improved the export functionality of Vulnerabilities. When you export vulnerabilities, we now include the description of the CVE in the export.

If you would like to learn more about our Vulnerabilities module, read our knowledge base article here.

Shared Profile

Shared Profile

Abi Tyas Tunggal
Abi Tyas Tunggal
June 10, 2020

We've made it easier to control who has access to your Shared Profile. You can now choose to give access to any registered UpGuard user or only to people you explicitly approve.

For context, a Shared Profile makes it easier to respond to security queries by allowing you to proactively publish information, such as completed security questionnaires or a SOC 2 report, alongside your security rating.

This saves your team time by allowing you to share vital information for potential and current customers without having to respond to the same questions over and over.

If you haven't contacted us to enable the Shared Profile functionality and would like to use it, please do so via support@upguard.com or via the chat widget in the bottom right-hand corner of your screen.

And if you'd like to configure your company's Shared Profile or access level, you can do so from the "My Shared Profile" page.

Go to My Shared Profile

Improved knowledge base

To help you and your team get up to speed with existing and new features inside the UpGuard platform - we're rolling out a new knowledge base.

If you want us to explain how to use any of our features or what we consider best practices, please reach out to us and we'll do our best to accommodate.  

Go to the UpGuard Knowledge Base

Portfolio Risk Profile

Portfolio Risk Profile

Abi Tyas Tunggal
Abi Tyas Tunggal
May 27, 2020

We’ve released a new feature for UpGuard Vendor Risk customers called Portfolio Risk Profile. Explore this feature in the UpGuard platform.

It allows you to view the overall risk profile of your vendor portfolio in a single place. For example, you can filter down based on specific risks (e.g. open FTP port) or see all the risks associated with vendors that are labeled as “in-use”.

You can read more about what the Portfolio Risk profile is here, learn how to use its filter functionality here, and learn how to export data here.

In other news, you can now filter Executive Summary Reports across UpGuard Vendor Risk and UpGuard BreachSight.

You can filter by label or score range in the UpGuard Vendor Risk Executive Summary and by label in the UpGuard BreachSight Executive Summary. To apply a filter, click on the “Apply filters” button in the top right-hand corner of your screen.

We’re also investing in our user interface to ensure the UpGuard platform remains consistent, deliberate, and easy to use. Expect more improvements over the next few weeks.

UpGuard Vendor Risk

In summary:

  • Released the Portfolio Risk Profile
  • Added filtering for UpGuard Vendor Risk Executive Summary
  • Improved the UI

UpGuard BreachSight

We’ve improved our typosquatting module. It now checks for permutations based on other top-level domains. For example, if you are monitoring “example.com” we will now return permutations such as “example.net

In summary:

  • Improved typosquatting module
  • Added filtering for the UpGuard BreachSight Executive Summary
  • Improved the UI
Report exporting improvements

Report exporting improvements

Abi Tyas Tunggal
Abi Tyas Tunggal
May 12, 2020

We’ve greatly improved the report export functionality across the UpGuard platform. You can now export your own or a vendor’s risk profile to Excel. The Excel file contains a row for each combination of risk and domain / IP.

You’ll also notice that reports reflect any filters you have in place, such as label-based or score-based filtering. To try this out, log in to the UpGuard platform > go to your Risk Profile > apply a filter > click export.

You’ll see there is an option to apply active filters, as well as to export to PDF or Excel.

Additionally, we’ve made some changes to how we report on and classify domains and IP addresses across both UpGuard Vendor Risk and UpGuard BreachSight:

  • When a domain or IP is removed (from a vendor’s infrastructure or your own), you will now see a corresponding event in the “changes” view.
  • Domains with open ports are now classified as “active” to better reflect an organizations attack surface. Prior to this, domains with open ports but no website or email configuration were classified as “inactive”.
  • Parked domains at several registrars are now considered “inactive”. If you have parked domains that do not appear inactive, please contact UpGuard Support and we can set them as “inactive”.

We also made a small change to our scoring engine. The "HTTP still accessible" check will now fail for domains that respond with a 4xx/5xx HTTP status code over plain HTTP. Previously only sites responding with 200 failed this check.

UpGuard Vendor Risk

We’ve made UpGuard Vendor Risk specific improvements:

  • Domains and IPs are now viewable from Risk Assessments. This means when you conduct a risk assessment on a vendor, you can use the list of Domains and IPs monitored by UpGuard, as well as their associated risks, as part of the evidence for that assessment.
  • We’ve made some improvements to how we collect fourth-party information for our Concentration Risk and Supply Chain modules. If you would like to know more about these modules, please contact UpGuard Support.

UpGuard BreachSight

We’ve made UpGuard BreachSight specific improvements:

  • The Identity Breaches API now includes the data classification for each branch, such as whether it contains passwords, PII, or other sensitive information.
  • Vulnerability alerts are now grouped into a single email. This means if you enable email notifications for new CVEs discoveries, we will only send you one email per day that outlines all impacted domains and IPs. You can manage your notifications by clicking here.
Deeplinking, category scores and revoke certificate checks

Deeplinking, category scores and revoke certificate checks

Abi Tyas Tunggal
Abi Tyas Tunggal
April 28, 2020

We've made some changes to how we are structuring the sidebar in the UpGuard CyberRisk. The Executive Summary is now split into two separate pages:

This better reflects the nature of the data contained in each page and ensures there is a consistent separation between UpGuard Vendor Risk and UpGuard BreachSight. Additionally, we've reordered some other menu items to improve usability.

Other product-wide improvements in this release include:

  • Deeplinking. If you click an UpGuard link, such as an email notification, and are not logged in, after logging in you will be redirected to the page you were trying to access
  • Category scores. We've improved our API and have made category scores available through the Vendor List API endpoint
  • Revoked certificate check. This is a new check part of our automated scanning

UpGuard Vendor Risk improvements

We've improved the ability to drill down into specific details on the UpGuard Vendor Risk Executive Summary, you can now:

  • See which vendors fall within each score range in Current Risk Ratings Breakdown
  • Navigate to the details of a specific vendor in Highest and Lowest Rated Vendors
  • See what products your vendors are using in Supply Chain Risk Section

Additionally, we've now:

  • Display supported file types on the Documents and Contacts page.
  • Have a new app or email notification type for when a Risk Assessment is published. If you would like to receive these notifications, head to the Notifications page.

UpGuard BreachSight improvements

We've improved the UpGuard BreachSight Executive Summary by:

  • Allowing you to add up to ten competitors to Competitor Analysis

Additionally, we've made a few small improvements:

Improvements to how we display domains and IPs

Improvements to how we display domains and IPs

Abi Tyas Tunggal
Abi Tyas Tunggal
April 14, 2020

Over the next week, we'll be rolling out a change to how we display domains and IPs in the UpGuard platform.

Going forward, we will display inactive domains and IPs across your own infrastructure and that of your vendors. We previously only reported on active domains and IP, e.g. ones running a website or with MX records. We track many more domains than what appears in the active section and now provide a way for you to view these.

UpGuard Vendor Risk improvements

We’ve also improved the design and usability of our new Risk Assessment feature, making it easier to create and read risk assessments. As always, if you’d like to try the feature please let us know via support@upguard.com.

And if your account is configured to factor in questionnaire scores into the overall score of a vendor, you will now see a breakdown of the score on their risk profile and vendor summary page.

In short, we now show the total score, questionnaire score, and score based on automated scanning.

UpGuard BreachSight improvements

We’ve added new functionality and data to the Identity breaches module:

  • You can now send email notifications to those who are exposed in third-party data breaches. This is a good way to remind staff about the appropriate use of work email accounts, discourage staff from reusing passwords, or to remind people to change their passwords.
  • Breaches can now be archived once you have processed them, e.g. once you’ve notified impacted employees.
  • Our data set of breaches now includes additional breaches that were discovered by the UpGuard Cyber Research team.
Introducing Risk Assessment

Introducing Risk Assessment

Abi Tyas Tunggal
Abi Tyas Tunggal
March 19, 2020

We launched a new feature called Risk Assessment. This feature is currently available on request, if you would like access please email support@upguard.com.

Risk Assessment allows you to:

  • Specify the evidence you reviewed as part of the assessment (including questionnaires and automated scan results)
  • Document your findings based on this evidence
  • Record who conducted the assessment
  • Export the assessment as a PDF
  • Make the assessment visible within the app to all the users of your account

UpGuard Vendor Risk improvements

We've also released two Pandemic questionnaires designed to help you assess your vendors' readiness to deal with the current pandemic, as well as improved PDF report generation.

When you export information to PDF, it will now appear in the sidebar under a new menu item called "Reports". This also fixes the bug where generating reports for large vendors would sometimes time out.

UpGuard BreachSight improvements

We've added an API that returns information about your company's identity breaches, made it easier to tell which domains and IPs you've added manually, and pushed quite a few bug fixes and minor tweaks.

New Vendor Summary

New Vendor Summary

Abi Tyas Tunggal
Abi Tyas Tunggal
February 19, 2020

New Vendor Summary: When you look up a vendor, the first page you see is now a new Vendor Summary. This provides a management-level view of the vendor, and can also be exported as a pdf.

Other improvements

  • Enhanced Risk Profile: We’ve made a number of improvements to the Risk Profile page, including the ability to filter by risk category (e.g. website risks, email risks, etc.)
  • Websites & APIs is now called Domains and IPs
  • Greatly enhanced port scanning: We now explicitly check for nearly 200 services running across thousands of ports. We also report any services that we can’t identify, and any open ports where no services are detected.
  • We’ve made some changes to our scoring algorithm: Updated email security checks: this includes a new check for the DMARC policy (which fails if p=none). For information on email security, see https://www.upguard.com/blog/email-security
  • Improved checking for open ports/services: As part of enhancing our port scanning capability, we have reviewed and updated the severity of risks associated with open ports/services. The HSTS checks now include a check against the Chromium preload list. If a domain is on the preload list, all HSTS checks pass for that domain and all its subdomainsUpdated domain status checks for .au domains: We no longer check for clientTransferProhibited or serverRenewProhibited on .au domains, as they are not applicable
  • Changes to open ports can now be reflected in CyberRisk sooner, by pressing the “RESCAN” button. When a port is closed, manually requesting a rescan of the website will now detect the change to the port sooner (usually within a day).
  • WHOIS lookup within Typosquatting: When you view a registered permutation of a domain you are monitoring for typosquatting, you can now see that permutation’s WHOIS information
  • New Questionnaires: We have added questionnaires for PCI DSS, CPPA, and Modern Slavery.
Exporting vulnerabilities

Exporting vulnerabilities

Abi Tyas Tunggal
Abi Tyas Tunggal
January 22, 2020
  • Export Vulnerabilities: You can now export the list of vulnerabilities
  • Better domain discovery: We’ve made further improvements to our domain discovery engine, which results in more domains and subdomains being discovered.
  • Various usability tweaks and bug fixes
2019
NIST CSF Questionnaire

NIST CSF Questionnaire

Abi Tyas Tunggal
Abi Tyas Tunggal
December 23, 2019

We have released a new questionnaire that is mapped to NIST CSF. To use this questionnaire, you'll first need to enable it from the "Questionnaire Library" section of Vendor Risk. When one of your vendors completes a questionnaire, any risks identified will be mapped to the corresponding CSF control categories.

Share your security profile

Share your security profile

Abi Tyas Tunggal
Abi Tyas Tunggal
December 11, 2019
  • Share your security profile: Make it easier for other companies to assess your cybersecurity posture by proactively publishing security-related information including questionnaire responses and other security documents. Control who has access to these documents, and see who has viewed them. Invite companies to view your Shared Profile when they are assessing you, and spend less time completing security questionnaires. Contact UpGuard Support to enable your Shared Profile.
  • Export questionnaires: Download completed questionnaires as pdfs.
  • Questionnaire workflow improvements: When you receive a completed questionnaire, mark it as “in review” to keep track of who in your team is reviewing which questionnaire response.
  • API enhancements: Data leaks are now available through the API. See the API documentation for more details.
  • Various bug fixes
Executive Summary Report

Executive Summary Report

Abi Tyas Tunggal
Abi Tyas Tunggal
November 11, 2019
  • Executive Summary Report: We’ve created a new report to provide a summary of your own cybersecurity posture, and that of your vendors. We’ll be activating it for existing customers over the next week or so.  As part of this change you’ll notice the “Dashboard” page has been replaced with two new pages - the "Executive Summary", and a dedicated “Notifications” page.
  • Enhanced file upload feature for questionnaires: When providing evidence as part of responding to a security questionnaire, you can now point to a file that you've already uploaded. This allows the same file to be referenced as evidence for multiple questions without having to upload multiple copies of it.
  • Various bug fixes, including some display issues related to the Microsoft Edge browser.
Improved notifications

Improved notifications

Abi Tyas Tunggal
Abi Tyas Tunggal
October 16, 2019
  • You can now receive notifications when your company's score drops below a certain threshold, or by a certain number of points.  To opt in and out of these notifications, use the "manage notifications" link on the dashboard page. To customise the set notifications available to users in your account, go to Account Settings -> Notifications (admin users only).
  • The Insecure SSL/TLS Versions check now fails for TLSv1.1, in addition to SSLv2, SSLv3, and TLSv1.0. See RFC 7525 for more detail on why TLSv1.1 should be disabled.
  • We fixed a bug where for some websites we would incorrectly report old versions of TLS as being available.
  • We improved the way we display vendors who's primary domain does not have a website running on it.
WordPress scanning

WordPress scanning

Abi Tyas Tunggal
Abi Tyas Tunggal
September 18, 2019
  • WordPress scanning: Whenever we detect that a site uses WordPress, we now run a series of additional security checks. These checks identify configuration problems that leave WordPress sites vulnerable to attack.
  • Supply Chain Concentration Risk (beta):  We have launched a beta of a new feature which highlights where companies in your supply chain (e.g. your vendors) rely on common underlying technology (e.g. hosting providers, email providers).  Contact UpGuard Support if you would like early access to this feature.
  • The character limit for messages you include when sending questionnaires has been increased from 300 to 1000
  • Various bug fixes
Vendors and instant reports

Vendors and instant reports

Abi Tyas Tunggal
Abi Tyas Tunggal
September 3, 2019
  • We’ve improved the way we display your list of vendors and instant reports.
  • You can now search for vendors by URL as well as name
  • We’ve improved the way questionnaires are displayed, including making it easier to view the risks, and improving the question numbering
  • We've changed the algorithm for scoring questionnaires to improve the way unanswered questions are weighted.
  • We’ve improved the way “Assurance” customers view their customer portfolio
Add custom labels

Add custom labels

Abi Tyas Tunggal
Abi Tyas Tunggal
August 7, 2019
  • You can now add custom labels to your websites in BreachSight, just like the labels you can already add to your vendors in VendorRisk. You can then use labels to filter websites on all pages where your websites are shown.
  • UpGuard has now been added as one of your monitored vendors in VendorRisk, if you were not monitoring the UpGuard vendor already. This will not count towards the available monitored vendor slots in your account. If you are not using VendorRisk already, you will now be able to access it, with UpGuard as your only monitored vendor.
  • We've improved our risk model for redirect domains. These are domains that redirect users to a different domain, and do not themselves host a website. Before this change, if example.co.uk redirected to example.com, some of the risks that we scan for were only being identified on example.com, and example.co.uk was not being checked for all possible risks. With this change, all risks applicable to example.co.uk will now be correctly identified. The most significant new risks that you may start seeing on redirect domains are related to HTTPS support and SSL certificate issues. You may notice some fluctuations in website scores as this change is rolled out, but the end result will be a more accurate reflection of the risks associated with these domains.
  • It's now easier to manage your Cyber Risk API keys from your account Settings page. You can have multiple active API keys, and specific keys can be deleted. This allows API keys to be rotated more easily, when required.
  • Various bug fixes.
  • You will now be notified on your Cyber Risk dashboard when we release new features in future. Keep an eye out for the notification.
Add "private" notes to questionnaires and remediation requests

Add "private" notes to questionnaires and remediation requests

Abi Tyas Tunggal
Abi Tyas Tunggal
July 23, 2019
  • You can now add "private" notes to questionnaires and remediation requests. These are visible to users of your account, but not to the recipients of the questionnaire or remediation request.
  • We've improved how we present your own score. When we display your own company's score to you, we can draw on public information (such as the configuration of your websites) as well as private information (such as which vendors you have marked as "in use"). This lets us provide the most complete view of your security posture. When someone else (another CyberRisk customer) looks up your company however, we report your score based only on the publicly available information. This has caused some confusion, and to address this, we've changed the way you see your own score on your "Risk Profile" page. You can now choose to either see your "public" score, or also factor in the private data you have provided.
  • When you manually request a scan for a given website, we are now rescanning for open ports on that website more quickly. At times it may still take a while for refreshed port scan data to flow through, but it should often appear within 10 minutes or so. Note that when ports change from "open" to "filtered" (as opposed to "closed"), it will still take up to 30 days for changes to flow through.
  • When you manually request a scan for a given website, and the scan fails (for instance, if the website is no longer running) we now report the failure, as well as how many times it's failed previously, and when the website will be removed (after 4 consecutive failures).
  • You can now request remediation or create a risk waiver from the Risk Profile page, or while looking at the details of a specific website.
  • We fixed a problem with vulnerabilities where some websites that use shared IP addresses would have vulnerabilities incorrectly assigned to them.
  • We've made a number of UI improvements and bug fixes
Filter vendors by score range and introducing questionnaire library

Filter vendors by score range and introducing questionnaire library

Abi Tyas Tunggal
Abi Tyas Tunggal
July 9, 2019
  • We now allow vendors to be filtered by a score range, and use this to provide a clickthrough from the vendor breakdown on the dashboard.
  • We have extended vendor filtering to cover the contents of the dashboard (including the vendor breakdown) and the remediation list.
  • We have created a questionnaire library, allowing account admins to easily configure which questionnaire types are able to be selected and sent by their users.It also allows non-admin users to browse and preview those questionnaire types that have been selected for the account.
  • Various bug fixes
Simplified Data Leaks workflow

Simplified Data Leaks workflow

Abi Tyas Tunggal
Abi Tyas Tunggal
June 26, 2019
  • The Data Leaks workflow has been simplified. Now there are only 3 states for a Data Leak - Disclosed, Acknowledged, and Closed. The Closed status still includes the reason for closure (Fixed, Not a Risk, or Risk Accepted), and can be verified by an UpGuard analyst as an additional final step.
  • The Documents list on the Questionnaire Details page now includes all documents relevant to the questionnaire, and whether they have been included or not. This allows users to easily see which documents have been uploaded and which have been omitted.
  • Users can now include a message when requesting remediation, which will be visible to the recipient.
  • Users must now include a "justification" when creating a risk waiver which will be visible to the approver, if one exists. If there is a separate approver, their justification will be shown separately.
  • Score history (up to a year if the data is available) is now enabled by default for all accounts.
  • There is a new action in the Actions dropdown to "Send a message" available on the Questionnaire Details screen. This prompts the user to enter a message in the Correspondence section.
  • Admin users can now remove themselves from an account, as long as there is at least one other admin user on the account.
  • Various bug fixes and cross-browser improvements.
Deliver icon

Sign up for our newsletter

Stay up-to-date on everything UpGuard with our monthly newsletter, full of product updates, company highlights, free cybersecurity resources, and more.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating

Book a free demo

Book a free, personalized onboarding call with one of our cybersecurity experts.