UpGuard Release Notes

You can now build your own security questionnaires inside the UpGuard platform. Start from scratch, or use one of our growing library of questionnaires as a starting point and adjust it to cater for your specific needs.

Creating a custom questionnaire is easy. We provide you with a range of question types designed to cater for different circumstances. Think single, multi-select and text-based answers, as well as file uploads to capture additional evidence and sections to group related questions together. 

Like our in-built questionnaires, custom questionnaires can be configured to automatically identify risks based on one or more answers to a set of questions. When a risk is identified, you can also choose whether or not to ask respondents for compensating control information.

In addition to automatic risk identification, our custom questionnaire builder has powerful conditional logic which lets you ask the right questions and skip the rest. Asking only what is required means more thoughtful responses and higher completion rates. 

All in all, your custom questionnaires can be as powerful as you want them to be.

While we iron out the last kinks, this is a beta feature. You can get it enabled by reaching out to our support team. If you have any feedback on this or any other feature, don’t hesitate to reach out to us.

Learn how to use our questionnaire builder.

Recurring reports

We have added the option to schedule recurring reports.

Exporting data in UpGuard has so far required you to log in, navigate to the desired page, and then click the export button each time you want fresh data. This can become frustrating if you want to export the same data on a recurring schedule or if you need to share the data with stakeholders who don’t use the UpGuard platform.

This is why we built a new way to export reports that makes it super simple and fast to create recurring reports on a weekly, monthly, quarterly, or yearly cadence. The new export modal also lets you add any email address, so you can easily share recurring reports with colleagues or stakeholders who aren’t UpGuard users.

Recurring reports is currently a beta feature. If you would like to be a beta tester, please reach out to our support team.

Learn more about recurring reports.

Other fixes and improvements

• You can now remove the original recipient and change the sender when resending questionnaires
• Added support for multiple recipients when creating a questionnaire or remediation request
• Fixed issue where /vendors and /vendor endpoints were returning different scores
• Fixed issue where vendors using Amazon CloudFront would be penalized
• Fixed issue causing an open port 7654 on Azure Apps environments to be raised as a risk
• Domains parked at NetRegistry will now be classified as inactive
• Fixed issue where custom domains were not shown when they failed their first scan
• Vulnerability notifications now lead to a filtered version of the vulnerabilities page that is specific to the notification
• Fixed issue causing vendors with no active domains to not load
  

Learn about new features, changes, and improvements to UpGuard this month:

You can now export your list of monitored typosquatting domains, as well as the registered, unregistered, and ignored permutations of a specific domain to PDF or Excel. 

Once exported, you can use the permutations in workflows outside the UpGuard platform. This may include adding registered permutations to a default block list for your email gateway, handing them over to your legal team to do takedown outreach, or feeding them into a separate platform. 

In addition to these improvements, we’re also introducing filtering for typosquatting. You can filter down the number of typosquatting permutations by selecting a specific type. For example, you may want to identify all the possible typosquatting permutations that are homoglyph substitutions. And when you go to export, you’ll have the option to apply any active filters.

Learn how to export from typosquatting or filter typosquatting permutations results.

Other fixes and improvements

• You can now retrieve files uploaded to a vendor’s documents, questionnaires, or additional evidence via our API
• Active vendor risk waivers now appear in the Vendor Report as well as Risk Profile, Risk Assessment, and Portfolio Risk Profile exports
• Compensating control information for questionnaire risks is now visible on the questionnaire details page
• Waiving a risk from specific questionnaire now only selects the risk from the corresponding questionnaire
• Fixed bug where compensating control information was being displayed for all questionnaire rather than only the questionnaires that the risk was waived from
• Fixed issue where Vendor Summary prompted Third-Party Risk Management Services customers to create or edit a questionnaire when one didn’t exist or was in draft
• Standardized time format in UpGuard API to 6 decimal places
• Improved text in vendor risk report to support situations where details are not exported
• Fixed issue where inactive domains were not showing if there were no associated scanning results
• Fixed issue where parent domain wasn’t showing in tree view when all subdomains were inactive

We’ve made a small but meaningful improvement to how you manage vendor risks inside UpGuard. Vendor Risk Waivers lets you waive vendor risks identified through automated scanning, questionnaires, and additional evidence.  

This feature is particularly useful for risks identified through questionnaires. For those that are not aware, when you send a questionnaire through the UpGuard platform we automatically identify risks based on the answers provided by your vendor and ask for compensating control information. 

In the past, you couldn’t use this compensating control information to waive the risk even if you were happy with the information provided. Now you can waive risks and remove them from the vendor’s risk profile if the vendor has adequate compensating controls. 

Vendor Risk Waivers is currently in closed beta. If you would like access, please contact UpGuard support.

Learn how to waive a vendor risk.

Detect vendor data leaks

We’re introducing a new managed service called Vendor Data Leaks. As you may be aware, our team of analysts and proprietary data leak detection engine give us an unparalleled ability to find leaked credentials and exposed data before it gets into the wrong hands. 

Vendor Data Leaks extends these capabilities by monitoring for data leaks at your vendors so you know if they’ve exposed data before it impacts your organization. When our data leak detection engine finds an exposure at your vendor, our analysts review the data, assign a severity, and speak to you to get an appropriate vendor contact. 

Once we have a contact, we’ll work directly with the vendor to remediate the issue and notify you when the exposure has been resolved. ‍

Vendor Data Leaks is currently in closed beta. If you would like more information, please contact UpGuard support. 

Learn more about vendor data leaks. 

Other fixes and improvements

• You can now use the category filter on the risk profile in exports
• Improved design of export modal

Our IP Addresses feature helps you manage your cyber risk by providing an IP-centric view of your organization and its vendors’ attack surfaces. With IP Addresses, UpGuard automatically finds the IP addresses and ranges associated with the DNS records of an organization’s domains, as well as any IPs or ranges that are added manually. In the coming weeks, we’ll further enhance this feature by attributing ownership of IP ranges based on WHOIS data.

If an IP address is associated with at least one domain, UpGuard has already been scanning it during our domain-based analysis of security issues, misconfigurations, and vulnerabilities. As you know, this analysis then feeds into our scoring algorithm which gives the domain a security rating.

As part of this release, we now scan IP addresses that don’t have a DNS record for open ports and other security issues and give those IPs a security rating. Just as you can drill into the underlying issues associated with a scored domain, we surface the underlying security issues associated with these IP addresses, and what we recommend you do to improve your security posture. 

The other major change we’ve made is support for IP ranges. When you add an IP range, UpGuard will periodically scan through the range to discover any new assets. This is an excellent way to reduce the risks associated with shadow IT services as we’ll uncover potentially unknown assets during these scans.

Clicking into an individual IP address will show you the owner, associate IP range, country, autonomous system (AS), autonomous system number (ASN), and any associated domains or risks. Likewise, by clicking into an IP range, you’ll see the owner, country, and number of IPs in the range, as well as any detected IP addresses or domains. Both views can be filtered by services, IP owner, ASN, or IP country.

IP Addresses is currently a beta feature. If you or your team would like to test IP Addresses prior to its official release, please contact us at support@upguard.com.

Learn how to monitor your IP addresses and ranges and see how we can help you monitor your vendor’s IP-based assets here.

Templates for remediation requests, risk assessments, questionnaires, and identity breach notifications

Templates lets administrators set up templates for remediation requests, risk assessments, questionnaires, and identity breach notifications emails sent from the UpGuard platform. 

Using templates is a great way to save time, ensure consistency and uniformity across teams and processes, by reducing mistakes and errors caused by copying and pasting text across documents. 

Templates are available for customers on the Professional bundle and up or as an add-on on lower plans.

Learn how to set up templates

Other fixes and improvements:

• Changed Attestations to Answer Questionnaires in the sidebar to make it easier for new users to know where they need to go to respond to questionnaires

Learn about new features, changes, and improvements to UpGuard this month:

‍Managed Vendors helps you manage your third-party vendor risk. UpGuard analysts assess your vendors and present their findings in a comprehensive report based on the analysis of security questionnaires, compensating control information, public security documentation, and security ratings data. 

Beta users can now see which vendors are managed by UpGuard, request an assessment, and get notified when analysts publish a new assessment from inside the platform. 

Managed Vendors is currently a beta feature. If you are a current Managed Vendors customer or want to learn more about how UpGuard can help you manage your third-party vendor risk, please contact us at support@upguard.com

Learn more about managed vendors and how to use it.

Other fixes and improvements:

• Added support for filtering by individual CVE on the subsidiary risk profile
• Standardized and increased character limits on in-app correspondence
• Risk rating icons and alert colors now match
• Fixed issue causing questionnaires to become unavailable in Vendor Risk Report when new questionnaire was in draft

Learn about new features, changes, and improvements to UpGuard this month:

We’ve updated input fields and buttons styles throughout the platform to ensure consistency. Whether you’re searching for findings on your risk profile, looking for a specific vendor, or filtering vulnerabilities, input fields and buttons should now look, feel, and behave in the same way. This makes it easier for new users to get up to speed quickly and for existing users to learn how to use new features as we release them.

In addition to these changes, we’ve made accessibility improvements to our icons by increasing their clickable area and adding hover states. These improvements mean the platform is easier to use for users with smaller screens or poor eyesight.

Other fixes and improvements:

• Fixed issue where the character limit was longer when creating a remediation request than when editing it
• Fixed issue causing runtime error on large exports
• Domains parked with register.com will now appear as inactive
• Added exception from the non-httpOnly cookie risk for Imperva and Barracuda WAF cookies
• Fixed issue causing remediation request email to not display company name when there are multiple users on the request
• Fixed issue causing remediation request timeline to not display the original requester’s name when multiple users are added to the request

We’re adding support for subsidiaries as a beta feature. This makes it easy to identify common misconfigurations and security issues shared across your organization and its subsidiaries. You can see a tree structure of your organization, click into individual subsidiaries, and dive deep into their risk profile, domains & IPs, vulnerabilities, and even their own subsidiaries. You can also request remediation of identified risks from your subsidiaries.

Examples of things you can do:

• Find security issues shared across your organization and its subsidiaries
• Identify subsidiaries with poor security postures
• Understand your complete security profile from the parent company down to the individual subsidiary.

We hope you’ll find a lot of use for subsidiaries and we think this will make UpGuard work better for many different types of organizations.

If you would like to beta test the subsidiaries feature, please contact us via support@upguard.com or by using the live chat in-app which can be found in the bottom right corner of your screen. Once enabled, subsidiaries will show up under Subsidiaries under the BreachSight section of the sidebar. Click on it to view your subsidiaries and explore the additional functionality that has been released.

How to use subsidiaries to monitor your organization’s attack surface

Dynamic filtering on portfolio risk profile

When you select other filters that impact the list of findings available on your Portfolio Risk Profile, the findings filter now dynamically adjusts to only show the corresponding identified risks. For example, if you choose the risk category Website Risks, the findings will only show those that correspond to that category.

How to filter the portfolio risk profile

Other fixes and improvements

• Fixed issue causing Excel questionnaire exports to not match the UI
• Fixed issue where PDF exports would cut off questionnaire answers if they were too long

You can now leave generic notes about your vendors inside the UpGuard platform without having to upload a file. This means you can drop in any information you need without having to create and upload a separate document.

This could be information about what project the vendor relates to, why the vendor has been engaged, and any other important information like contract dates or SLAs that don’t justify creating and uploading an entire document.

We hope this feature means you can start storing more of your vendor-related information in UpGuard and we can start acting as your central vendor management repository.

Learn how to create notes

Better vendor filtering: NOT operator and unlabelled support

You can now filter your vendors to show any that do not match a particular label (or labels). For example, you can now see all vendors who are NOT labeled with “Customer Data”.

We’ve also added a special label called “unlabelled” which can be used to find all vendors who do not have a label applied or who do have labels if you use the NOT operator.

Learn how to filter your vendors

Other fixes and improvements

• Improved the design of the top of vendor summary pages
• Fixed a UI issue that caused long vendor names to push the close button off-screen in the vendors section in the sidebar
• Improved support for domains parked with GoDaddy, these domains will now appear as inactive
• Fixed bug causing data leaks reporting to display duplicate keywords under some circumstances
• Made changes to remediation requests so that risks will update when domains become active or inactive
• Improved error message for situations where new users try to claim an expired invitation
• Questionnaires and other vendors assets are now stored when you stop monitoring a vendor and will be there if you start monitoring the vendor again
• Fixed UI issue causing risk assessment notifications to be hard to dismiss
• Individual vulnerability notifications can now be dismissed

We have made significant improvements to our scoring algorithm. From time to time, we adjust our scoring algorithm based on new information gleaned from industry trends, research, and customer feedback. It is important to note that our new scoring algorithm may have reduced the security rating of you and your vendors.

Here’s what improvements were made and why:

• Lower scores are weighted more heavily: Ensures poor security on an individual domain or IP address is not “averaged out” by otherwise good security across an organization’s infrastructure. An organization is only as secure as its weakest link.
• Greater emphasis on network security issues: Open ports, while not dangerous on their own, often expose vulnerable services. A great example of this risk is WannaCry, a ransomware cryptoworm that infected more than 300,000 computers by exploiting a zero-day in old versions of a network protocol called SMB. WannaCry was so successful because the SMB port is open by default on many legacy Windows machines.

As part of these improvements, we have combined our brand and reputation risk categories. Brand and reputation are two sides of the same coin and we believe it makes more sense for the underlying risks to fall under the same category.

Please read this article for more information about how you should respond.

Improved design and functionality for vendor reports

We’ve improved the design and functionality of our vendor report.

Based on your feedback, we have reduced the amount of UpGuard branding on the cover page of the report and if you have custom branding enabled, you’ll see reports now include your logo on the cover page.

In addition to these design changes, you can now generate vendor reports from any instant report vendors. These improvements are designed to make the report more accessible and easier to understand for recipients whether they’re internal stakeholders or vendors.

Learn how to generate a vendor report.

Other fixes and improvements

• Changed font from Lato to Inter, a more modern typeface that is consistent with the new UpGuard website
• Fixed issue where switching between category and overall views on risk profile caused waivers and custom domains checkbox to become unticked