UpGuard Release Notes

We launched a new feature called Risk Assessment. This feature is currently available on request, if you would like access please email support@upguard.com.

Risk Assessment allows you to:

• Specify the evidence you reviewed as part of the assessment (including questionnaires and automated scan results)
• Document your findings based on this evidence
• Record who conducted the assessment
• Export the assessment as a PDF
• Make the assessment visible within the app to all the users of your account

UpGuard Vendor Risk improvements

We've also released two Pandemic questionnaires designed to help you assess your vendors' readiness to deal with the current pandemic, as well as improved PDF report generation.

When you export information to PDF, it will now appear in the sidebar under a new menu item called "Reports". This also fixes the bug where generating reports for large vendors would sometimes time out.

UpGuard BreachSight improvements

We've added an API that returns information about your company's identity breaches, made it easier to tell which domains and IPs you've added manually, and pushed quite a few bug fixes and minor tweaks.

New Vendor Summary: When you look up a vendor, the first page you see is now a new Vendor Summary. This provides a management-level view of the vendor, and can also be exported as a pdf.

Other improvements

• Enhanced Risk Profile: We’ve made a number of improvements to the Risk Profile page, including the ability to filter by risk category (e.g. website risks, email risks, etc.)
• Websites & APIs is now called Domains and IPs
• Greatly enhanced port scanning: We now explicitly check for nearly 200 services running across thousands of ports. We also report any services that we can’t identify, and any open ports where no services are detected.
• We’ve made some changes to our scoring algorithm: Updated email security checks: this includes a new check for the DMARC policy (which fails if p=none). For information on email security, see https://www.upguard.com/blog/email-security
• Improved checking for open ports/services: As part of enhancing our port scanning capability, we have reviewed and updated the severity of risks associated with open ports/services. The HSTS checks now include a check against the Chromium preload list. If a domain is on the preload list, all HSTS checks pass for that domain and all its subdomainsUpdated domain status checks for .au domains: We no longer check for clientTransferProhibited or serverRenewProhibited on .au domains, as they are not applicable
• Changes to open ports can now be reflected in CyberRisk sooner, by pressing the “RESCAN” button. When a port is closed, manually requesting a rescan of the website will now detect the change to the port sooner (usually within a day).
• WHOIS lookup within Typosquatting: When you view a registered permutation of a domain you are monitoring for typosquatting, you can now see that permutation’s WHOIS information
• New Questionnaires: We have added questionnaires for PCI DSS, CPPA, and Modern Slavery.

• Export Vulnerabilities: You can now export the list of vulnerabilities
• Better domain discovery: We’ve made further improvements to our domain discovery engine, which results in more domains and subdomains being discovered.
• Various usability tweaks and bug fixes

We have released a new questionnaire that is mapped to NIST CSF. To use this questionnaire, you'll first need to enable it from the "Questionnaire Library" section of Vendor Risk. When one of your vendors completes a questionnaire, any risks identified will be mapped to the corresponding CSF control categories.

• Share your security profile: Make it easier for other companies to assess your cybersecurity posture by proactively publishing security-related information including questionnaire responses and other security documents. Control who has access to these documents, and see who has viewed them. Invite companies to view your Shared Profile when they are assessing you, and spend less time completing security questionnaires. Contact UpGuard Support to enable your Shared Profile.
• Export questionnaires: Download completed questionnaires as pdfs.
• Questionnaire workflow improvements: When you receive a completed questionnaire, mark it as “in review” to keep track of who in your team is reviewing which questionnaire response.
• API enhancements: Data leaks are now available through the API. See the API documentation for more details.
• Various bug fixes

• Executive Summary Report: We’ve created a new report to provide a summary of your own cybersecurity posture, and that of your vendors. We’ll be activating it for existing customers over the next week or so.  As part of this change you’ll notice the “Dashboard” page has been replaced with two new pages - the "Executive Summary", and a dedicated “Notifications” page.
• Enhanced file upload feature for questionnaires: When providing evidence as part of responding to a security questionnaire, you can now point to a file that you've already uploaded. This allows the same file to be referenced as evidence for multiple questions without having to upload multiple copies of it.
• Various bug fixes, including some display issues related to the Microsoft Edge browser.

• You can now receive notifications when your company's score drops below a certain threshold, or by a certain number of points.  To opt in and out of these notifications, use the "manage notifications" link on the dashboard page. To customise the set notifications available to users in your account, go to Account Settings -> Notifications (admin users only).
• The Insecure SSL/TLS Versions check now fails for TLSv1.1, in addition to SSLv2, SSLv3, and TLSv1.0. See RFC 7525 for more detail on why TLSv1.1 should be disabled.
• We fixed a bug where for some websites we would incorrectly report old versions of TLS as being available.
• We improved the way we display vendors who's primary domain does not have a website running on it.

• WordPress scanning: Whenever we detect that a site uses WordPress, we now run a series of additional security checks. These checks identify configuration problems that leave WordPress sites vulnerable to attack.
• Supply Chain Concentration Risk (beta):  We have launched a beta of a new feature which highlights where companies in your supply chain (e.g. your vendors) rely on common underlying technology (e.g. hosting providers, email providers).  Contact UpGuard Support if you would like early access to this feature.
• The character limit for messages you include when sending questionnaires has been increased from 300 to 1000
• Various bug fixes

• We’ve improved the way we display your list of vendors and instant reports.
• You can now search for vendors by URL as well as name
• We’ve improved the way questionnaires are displayed, including making it easier to view the risks, and improving the question numbering
• We've changed the algorithm for scoring questionnaires to improve the way unanswered questions are weighted.
• We’ve improved the way “Assurance” customers view their customer portfolio

• You can now add custom labels to your websites in BreachSight, just like the labels you can already add to your vendors in VendorRisk. You can then use labels to filter websites on all pages where your websites are shown.
• UpGuard has now been added as one of your monitored vendors in VendorRisk, if you were not monitoring the UpGuard vendor already. This will not count towards the available monitored vendor slots in your account. If you are not using VendorRisk already, you will now be able to access it, with UpGuard as your only monitored vendor.
• We've improved our risk model for redirect domains. These are domains that redirect users to a different domain, and do not themselves host a website. Before this change, if example.co.uk redirected to example.com, some of the risks that we scan for were only being identified on example.com, and example.co.uk was not being checked for all possible risks. With this change, all risks applicable to example.co.uk will now be correctly identified. The most significant new risks that you may start seeing on redirect domains are related to HTTPS support and SSL certificate issues. You may notice some fluctuations in website scores as this change is rolled out, but the end result will be a more accurate reflection of the risks associated with these domains.
• It's now easier to manage your Cyber Risk API keys from your account Settings page. You can have multiple active API keys, and specific keys can be deleted. This allows API keys to be rotated more easily, when required.
• Various bug fixes.
• You will now be notified on your Cyber Risk dashboard when we release new features in future. Keep an eye out for the notification.

• You can now add "private" notes to questionnaires and remediation requests. These are visible to users of your account, but not to the recipients of the questionnaire or remediation request.
• We've improved how we present your own score. When we display your own company's score to you, we can draw on public information (such as the configuration of your websites) as well as private information (such as which vendors you have marked as "in use"). This lets us provide the most complete view of your security posture. When someone else (another CyberRisk customer) looks up your company however, we report your score based only on the publicly available information. This has caused some confusion, and to address this, we've changed the way you see your own score on your "Risk Profile" page. You can now choose to either see your "public" score, or also factor in the private data you have provided.
• When you manually request a scan for a given website, we are now rescanning for open ports on that website more quickly. At times it may still take a while for refreshed port scan data to flow through, but it should often appear within 10 minutes or so. Note that when ports change from "open" to "filtered" (as opposed to "closed"), it will still take up to 30 days for changes to flow through.
• When you manually request a scan for a given website, and the scan fails (for instance, if the website is no longer running) we now report the failure, as well as how many times it's failed previously, and when the website will be removed (after 4 consecutive failures).
• You can now request remediation or create a risk waiver from the Risk Profile page, or while looking at the details of a specific website.
• We fixed a problem with vulnerabilities where some websites that use shared IP addresses would have vulnerabilities incorrectly assigned to them.
• We've made a number of UI improvements and bug fixes

• We now allow vendors to be filtered by a score range, and use this to provide a clickthrough from the vendor breakdown on the dashboard.
• We have extended vendor filtering to cover the contents of the dashboard (including the vendor breakdown) and the remediation list.
• We have created a questionnaire library, allowing account admins to easily configure which questionnaire types are able to be selected and sent by their users.It also allows non-admin users to browse and preview those questionnaire types that have been selected for the account.
• Various bug fixes