UpGuard Release Notes

We made significant improvements to our emails. The most notable change is that you can now add company branding. Once enabled, your logo will appear at the top of any email sent by us to vendors or internal stakeholders. This makes it easier for recipients to understand who is making the request and will result in less back-and-forth between you and your vendors.

As part of these changes, we’ve also refreshed the design of our emails to make it easier for recipients to know what action they need to take next. This change means faster responses, better engagement, and less time spent chasing up requests.

Learn how to enable co-branding.

Remediation workflow for vulnerabilities

You can now request remediation of verified and unverified vulnerabilities in first and third-party remediation workflows. This is part of our ongoing work to improve our vulnerability management capabilities.

Learn how to request remediation from a vendor.

Export individual identity breaches

You can now export individual identity breaches as a PDF report or to Excel. The PDF report is a great way to communicate the extent of an identity breach to your internal stakeholders without having to invite them to UpGuard.

Learn how to export an identity breach.

Other fixes and improvements

• Improved in-product references to relevant knowledge base articles
• The Vendor Risk executive summary now shows the number of vendors your organization monitors over time
• You can now label your inactive domains and labels will remain when domains transition from inactive to active or active to inactive
• Data leaks reporting now shows all keywords including those with no results
  

We’ve expanded our vulnerability detection and management capabilities by differentiating between verified and unverified vulnerabilities.

As UpGuard scans from outside companies’ networks, there are some vulnerabilities we can confirm (verified vulnerabilities), but others we only know may exist (unverified vulnerabilities). When verified vulnerabilities are detected, you’ll also be able to see them on your, and your vendors’, risk profiles and use them in our remediation and risk waiver workflows.

In addition, you now can ignore unverified vulnerabilities to remove them from the vulnerabilities list. This is different from a risk waiver because you are signaling that the risk doesn’t exist, as opposed to a risk waiver where you are accepting the risk.

To learn how to use our vulnerabilities feature, see our articles on UpGuard Breach Risk vulnerabilities and UpGuard Vendor Risk vulnerabilities.

Audit log

Administrators can now see an audit log of important events in the UpGuard platform and who actioned them.

This will allow you to see, for example, who has logged in, who has had their permissions changed, whether an UpGuard employee has viewed your account, when a questionnaire has been sent, when a risk assessment has been published, and much, much more.

Learn about the events tracked through our audit log.

Six new questionnaires

As part of our continued investment in the platform, we’re releasing six new questionnaires:

• COBIT 5 Security Standard Questionnaire: Assesses compliance against the Control Objectives for Information and Related Technologies Framework created by ISACA.
• ISA 62443-2-1:2009 Security Standard Questionnaire: Assesses compliance against the ISA 62443-2-1:2009 standard for industrial automation and control systems.
• ISA 62443-3-3:2013 Security Standard Questionnaire: Assesses compliance against technical control system requirements associated with the seven foundational requirements (FRs) described in IEC 62443-1-1.
• GDPR Security Standard Questionnaire: Assesses compliance against the personal information disclosure requirements outlined in the European Union's General Data Protection Regulation (GPDR).
• CIS Controls 7.1 Security Standard Questionnaire: Assesses compliance against the best practice guidelines for cybersecurity outlined in 20 CIS Controls.
• NIST SP 800-53 Rev. 4 Security Standard Questionnaire: Assesses compliance against the security and privacy controls required for all U.S. federal information systems except those related to national security.

Other fixes and improvements

• We’ve broken up Documents & Contacts into two separate pages (Documents and Contacts)
• Documents now includes all file-based evidence for a vendor and is categorized by source: general documents, additional evidence, or questionnaire responses
• Documents added as additional evidence are now available in the vendor’s Documents & Contacts
• Prioritized typosquatting results to first show homogylphs with only one substitute character and where characters look similar to the original domain.
• UpGuard analysts can now redact a sensitive URL on a data leaks finding
• Improved the readability of cookie-based automated scanning results
• Added parked domain detection for registrar CSC
• Fixed an issue where users on Chromebooks couldn’t upload files
  

We added a new downloadable report to UpGuard. Now you can generate a report that outlines the security posture of any monitored vendor and share it. Reports can be configured to include automated scanning, questionnaires, and additional evidence, or be based on completed risk assessments. It’s also a nice way to introduce UpGuard to your colleagues, board members, or vendors without having to invite them to the platform.

We also added context around each identified risk and remediation recommendations that can be used to drive decision-making, speed up vendor due diligence, and drive remediation efforts.

Learn how to generate a vendor report

Additional evidence

At the start of August, we released additional evidence to select customers. Since then we have improved the functionality. We’re excited about this as it enables many of you to capture risks identified in documents that your vendors have proactively published to their websites. Starting today, additional evidence is available for all UpGuard VendorRisk users and we’ll keep improving it over time.

Learn how to capture additional evidence

Other fixes and improvements

• Reports can now be archived and deleted
• Added search to reports page
• Improved search and filter functionality to support renamed vendors
• Increased max vendor name length from 50 characters to 150 characters
• Fixed bug when extracting risks from completed questionnaires
• Several fixes to read-only users including removing their ability to dismiss notifications

We've released a new feature called additional evidence in closed beta that will roll out to the entire user base in two weeks. If you would like access now, please get in touch.

While we recommend you use UpGuard's security questionnaires and automated scanning tools to assess your vendors, in some situations you may need to capture additional evidence about a vendor.

For example, you may send a questionnaire to a large SaaS vendor only to be directed to a page on their website that hosts complete security questionnaires, audit reports, and certificates. These documents provide insights into the vendor's security posture and attack surface.

Additional evidence allows you to capture and store this security or compliance-related documentation and associate any identified risks. Once identified, you can choose to include these risks in the vendor's risk profile, and cite them as part of a risk assessment.

Learn how to capture additional evidence here.

Other improvements and fixes

• Data leaks customers can now see search results from the dark web and Google searches

A common misconfiguration for WordPress sites is to expose the names of users. We now display the actual user list in the UpGuard platform when this risk is detected.

Additionally, we now explicitly check for old versions of WordPress that have known vulnerabilities that can be exploited.

Other improvements and fixes

• You can now retrieve the current set of risks from a vendor via our API.
• Risks are now prepopulated when you request remediation through the Portfolio Risk Profile.
• Questionnaire due dates can now be changed. If you want to change a questionnaire's due date, click on the questionnaire, click the "actions" button, and then click "Set due date".
• You can now export to PDF and Excel in more places.
• When you have filters active and export data to PDF, the PDF that is generated will now display the filters you used.
• The check for certificates that are about to expire now triggers when a certificate is within 20 days of expiring, rather than 30. This change is designed to reduce the number of false positives as some popular certificates (like LetsEncrypt) can be set to automatically renew when there are less than 30 days to expiry.

In addition to our API, UpGuard uses webhooks to notify other applications when an event happens in your account. This could be when an identity breach or data leak is detected, the security rating of a vendor drops below a threshold, or when a user requests access to your Shared Profile.

Our improved webhook integration allows you to customize the payload you send to the webhook. This means you can push data into our systems without having to support our default payload format.

If you’re an UpGuard account admin, you can set up new and configure existing webhook integrations from Account Settings -> Integrations, or by clicking here.

If you need a hand setting up your first integration, please read our article on how to integrate UpGuard with other services.

Vulnerabilities are now available through our API

The UpGuard API now lets you return the list of vulnerabilities detected for your organization and your vendors. Click here for details.

Other improvements and fixes

• When you filter your vendor portfolio based on labels you can now choose whether you want to see vendors that match any of the labels applied or restrict the results to only vendors who have all labels applied.
• You can now export from the "Vendors" page in Excel and PDF formats

We're releasing a new feature for our Data Leaks customers called Data Leaks Reporting. It provides detailed analytics on the keywords you have provided us.

You'll be able to see which research results were classified as safe (by our algorithms or analysts), and which resulted in findings.

Please note: This feature will be rolled out over the coming week. In the meantime, be sure to check out our knowledge base article on Data Leaks Reporting.

If you are a current UpGuard customer and are interested in the Data Leaks module. Please contact your Technical Account Manager or click the chat widget in the lower right corner of your screen.

UpGuard Vendor Risk

We've made some enhancements to the export functionality of Portfolio Risk Profile. You'll now notice that when you export data it will include the details of the specific risks identified at each vendor.

Read our knowledge base article on how to export from the Portfolio Risk Profile for more information.

UpGuard Breach Risk

We've also improved the export functionality of Vulnerabilities. When you export vulnerabilities, we now include the description of the CVE in the export.

If you would like to learn more about our Vulnerabilities module, read our knowledge base article here.

We've made it easier to control who has access to your Shared Profile. You can now choose to give access to any registered UpGuard user or only to people you explicitly approve.

For context, a Shared Profile makes it easier to respond to security queries by allowing you to proactively publish information, such as completed security questionnaires or a SOC 2 report, alongside your security rating.

This saves your team time by allowing you to share vital information for potential and current customers without having to respond to the same questions over and over.

If you haven't contacted us to enable the Shared Profile functionality and would like to use it, please do so via support@upguard.com or via the chat widget in the bottom right-hand corner of your screen.

And if you'd like to configure your company's Shared Profile or access level, you can do so from the "My Shared Profile" page.

Go to My Shared Profile

Improved knowledge base

To help you and your team get up to speed with existing and new features inside the UpGuard platform - we're rolling out a new knowledge base.

If you want us to explain how to use any of our features or what we consider best practices, please reach out to us and we'll do our best to accommodate.  

Go to the UpGuard Knowledge Base

We’ve released a new feature for UpGuard Vendor Risk customers called Portfolio Risk Profile. Explore this feature in the UpGuard platform.

It allows you to view the overall risk profile of your vendor portfolio in a single place. For example, you can filter down based on specific risks (e.g. open FTP port) or see all the risks associated with vendors that are labeled as “in-use”.

You can read more about what the Portfolio Risk profile is here, learn how to use its filter functionality here, and learn how to export data here.

In other news, you can now filter Executive Summary Reports across UpGuard Vendor Risk and UpGuard Breach Risk.

You can filter by label or score range in the UpGuard Vendor Risk Executive Summary and by label in the UpGuard Breach Risk Executive Summary. To apply a filter, click on the “Apply filters” button in the top right-hand corner of your screen.

We’re also investing in our user interface to ensure the UpGuard platform remains consistent, deliberate, and easy to use. Expect more improvements over the next few weeks.

UpGuard Vendor Risk

In summary:

• Released the Portfolio Risk Profile
• Added filtering for UpGuard Vendor Risk Executive Summary
• Improved the UI

UpGuard Breach Risk

We’ve improved our typosquatting module. It now checks for permutations based on other top-level domains. For example, if you are monitoring “example.com” we will now return permutations such as “example.net”

In summary:

• Improved typosquatting module
• Added filtering for the UpGuard Breach Risk Executive Summary
• Improved the UI

We’ve greatly improved the report export functionality across the UpGuard platform. You can now export your own or a vendor’s risk profile to Excel. The Excel file contains a row for each combination of risk and domain / IP.

You’ll also notice that reports reflect any filters you have in place, such as label-based or score-based filtering. To try this out, log in to the UpGuard platform > go to your Risk Profile > apply a filter > click export.

You’ll see there is an option to apply active filters, as well as to export to PDF or Excel.

Additionally, we’ve made some changes to how we report on and classify domains and IP addresses across both UpGuard Vendor Risk and UpGuard Breach Risk:

• When a domain or IP is removed (from a vendor’s infrastructure or your own), you will now see a corresponding event in the “changes” view.
• Domains with open ports are now classified as “active” to better reflect an organizations attack surface. Prior to this, domains with open ports but no website or email configuration were classified as “inactive”.
• Parked domains at several registrars are now considered “inactive”. If you have parked domains that do not appear inactive, please contact UpGuard Support and we can set them as “inactive”.

We also made a small change to our scoring engine. The "HTTP still accessible" check will now fail for domains that respond with a 4xx/5xx HTTP status code over plain HTTP. Previously only sites responding with 200 failed this check.

UpGuard Vendor Risk

We’ve made UpGuard Vendor Risk specific improvements:

• Domains and IPs are now viewable from Risk Assessments. This means when you conduct a risk assessment on a vendor, you can use the list of Domains and IPs monitored by UpGuard, as well as their associated risks, as part of the evidence for that assessment.
• We’ve made some improvements to how we collect fourth-party information for our Concentration Risk and Supply Chain modules. If you would like to know more about these modules, please contact UpGuard Support.

UpGuard Breach Risk

We’ve made UpGuard Breach Risk specific improvements:

• The Identity Breaches API now includes the data classification for each branch, such as whether it contains passwords, PII, or other sensitive information.
• Vulnerability alerts are now grouped into a single email. This means if you enable email notifications for new CVEs discoveries, we will only send you one email per day that outlines all impacted domains and IPs. You can manage your notifications by clicking here.

We've made some changes to how we are structuring the sidebar in the UpGuard CyberRisk. The Executive Summary is now split into two separate pages:

• UpGuard Vendor Risk Executive Summary
• UpGuard Breach Risk Executive Summary

This better reflects the nature of the data contained in each page and ensures there is a consistent separation between UpGuard Vendor Risk and UpGuard Breach Risk. Additionally, we've reordered some other menu items to improve usability.

Other product-wide improvements in this release include:

• Deeplinking. If you click an UpGuard link, such as an email notification, and are not logged in, after logging in you will be redirected to the page you were trying to access
• Category scores. We've improved our API and have made category scores available through the Vendor List API endpoint
• Revoked certificate check. This is a new check part of our automated scanning

UpGuard Vendor Risk improvements

We've improved the ability to drill down into specific details on the UpGuard Vendor Risk Executive Summary, you can now:

• See which vendors fall within each score range in Current Risk Ratings Breakdown
• Navigate to the details of a specific vendor in Highest and Lowest Rated Vendors
• See what products your vendors are using in Supply Chain Risk Section

Additionally, we've now:

• Display supported file types on the Documents and Contacts page.
• Have a new app or email notification type for when a Risk Assessment is published. If you would like to receive these notifications, head to the Notifications page.

UpGuard Breach Risk improvements

We've improved the UpGuard BreachvRisk Executive Summary by:

• Allowing you to add up to ten competitors to Competitor Analysis

Additionally, we've made a few small improvements:

• Risk Profile and Risk Waiver pages now fall under UpGuard Breach Risk

Over the next week, we'll be rolling out a change to how we display domains and IPs in the UpGuard platform.

Going forward, we will display inactive domains and IPs across your own infrastructure and that of your vendors. We previously only reported on active domains and IP, e.g. ones running a website or with MX records. We track many more domains than what appears in the active section and now provide a way for you to view these.

UpGuard Vendor Risk improvements

We’ve also improved the design and usability of our new Risk Assessment feature, making it easier to create and read risk assessments. As always, if you’d like to try the feature please let us know via support@upguard.com.

And if your account is configured to factor in questionnaire scores into the overall score of a vendor, you will now see a breakdown of the score on their risk profile and vendor summary page.

In short, we now show the total score, questionnaire score, and score based on automated scanning.

UpGuard Breach Risk improvements

We’ve added new functionality and data to the Identity breaches module:

• You can now send email notifications to those who are exposed in third-party data breaches. This is a good way to remind staff about the appropriate use of work email accounts, discourage staff from reusing passwords, or to remind people to change their passwords.
• Breaches can now be archived once you have processed them, e.g. once you’ve notified impacted employees.
• Our data set of breaches now includes additional breaches that were discovered by the UpGuard Cyber Research team.