UpGuard Release Notes

This feature makes populating vendor attributes instant and easy. You’ll now be able to automatically apply tiers, labels, portfolios or custom attributes to your vendors, based on answers collected from an internal relationship questionnaire. With flexible logic and the ability to create simple or complex automation rules, this feature reduces the manual effort required to collect and store information about your vendors, and makes it easy to apply consistent logic across your entire vendor portfolio. 

Automation will be available to Vendor Risk customers on Professional, Corporate and Enterprise plans, and is currently being rolled out to a closed beta release group. To join the beta, get in touch with your Customer Success representative. 

New vulnerability detections added

• We now detect the actively exploited Ivanti / MobileIron vulnerabilities  CVE-2023-35078, CVE-2023-35081, and CVE-2023-35082.
• We also detect two Wordpress plugins that are being actively exploited, Advanced Custom Fields and Essential Addons for Elementor. 
• Unverified vulnerabilities have been added for websites using AngularJS. 

Other improvements

• Vendor Risk customers can now archive shared questionnaires and additional evidence, to keep your questionnaires view up to date and free of clutter. 
• This release also contains a number of bug and performance fixes

You can now create and save custom report templates in the Reports Library, including the ability to add custom commentary and configure which elements to include in your report. Templates can then be used by you and others in your organization to run custom reports. 

We have also made some further improvements to the report Library display and navigation to make it quicker and easier to find and run the reports you need.

The navigation improvements and the ability to customize reports is available to all users, but the ability to save custom templates for re-use is limited to customers on Professional plans and above. 

To learn more about custom reports see How to create a custom report template.

New Vulnerability detections added

• We now detect jQuery vulnerabilities. These are based on the version of the library in use, and are marked as unverified vulnerabilities with no score impact.
• Added detections for new vulnerabilities in Atlassian Bamboo (CVE-2023-22506) and Confluence (CVE-2023-22505, CVE-2023-22508). 
• Improved version detection for Citrix Gateway and ADC vulnerabilities CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467. These vulnerabilities are also known to be exploited and should be investigated if detected. 

Other improvements

• Improvement to questionnaire builder to allow for optional free text field to be added against single-select and multi-select (radio/checkbox) questions 
• This release includes a number of bug fixes

This release we’ve introduced a new bulk upload tool for additional evidence in Vendor Risk. Adding additional evidence is vital to maintaining an accurate view of your vendors—and a huge time-saver when it comes to performing faster risk assessments without the need for lengthy questionnaires. Learn more about additional evidence. 

UpGuard’s integration is now compatible with ServiceNow’s latest version

For customers utilizing our ServiceNow integration, you can rest assured that it is compatible with the Utah version of ServiceNow, as well as previous versions Tokyo and San Diego. 

Other improvements

• This release includes a number of bug fixes

This release includes expanded sources for reputation risk detection, improvements to reporting templates, as well as additional evidence enhancements and more. 

Improvements to reputation risk detection

This release includes expanded sources for reputation risk detection, to ensure your assets are better protected against malicious actors. We’ve improved a number of areas, including detection of domains and IPs that are communicating with command and control servers, suspected of brute force login attempts, conducting unsolicited scanning, distributing malware, and hosting phishing sites. These improvements also provide visibility of when a domain or IP has been mistakenly flagged on one of the reputation lists, and allow corrective action to be taken.

UpGuard collects reputational risk data from a variety of sources. We include the source of the data in the risk’s “actual” value so that you have transparency into the information being used.

Board summary report now available as a PowerPoint presentation

Fans of our board summary reporting template will rejoice, as you can now download this report as an editable PowerPoint document for easy customization and sharing. 

Other improvements

• It is now easier to see when you’ve saved documents against your vendors that might help in your assessment of them—like a SOC2 report, or ISO 27001 certificate. You can now add  “Evidence” and “Questionnaires” columns to the Vendors page, and filter by additional evidence and questionnaire types. 
• There is now an informational risk present for use of TikTok Analytics.

Learn about new features, changes, and improvements to UpGuard this month.

We have made several improvements to BreachSight reports in this release, including the addition of a new subsidiary report.

• BreachSight report: we’ve improved visualizations as well as added flexibility to build custom reports and add custom commentary.
• Organizations that include subsidiaries: the new subsidiary report allows you to run a detailed risk report for your organization and its subsidiaries and compare the performance of subsidiaries over time. 

To learn more about the changes see How to generate a BreachSight report and How to generate a BreachSight Subsidiaries report.

Other improvements

• Improvements to Vendor Risk Waivers allowing increased flexibility to select and edit domains/IPs or questionnaires included in the risk waiver. 
• Enhanced filters for questionnaires. With these new filters, you can easily sort through shared assets based on their status, making it even easier to keep track of all important documents and information provided by your vendors.
• A new Post Breach questionnaire type is now available in the Questionnaire Library. This questionnaire is designed to be sent to a vendor following a breach.
• This release also includes a number of bug fixes.

In this release we have made a number of improvements to Vendor reports and the Board summary report. These include improved visualizations as well as increased flexibility to build custom reports and add custom commentary. To learn more about the changes see How to generate a vendor report and How to generate a board summary report.

Other improvements

• Scheduled reports which were previously only available for higher plans are now available to all customers. To learn more see What are recurring reports.
• We’ve improved the custom vendor attributes feature to allow multi-select set lists. To learn more about how to use custom vendor attributes to store information about your vendors see How to use custom vendor attributes.
• We’ve made a change to make it clearer to vendors that a questionnaire has been archived, preventing vendors from editing them. 
• We’ve made some improvements to the recently released Questionnaire changes view feature to make navigating to see changes even easier. To learn more see How to compare responses using the Questionnaire Changes View.
• We’ve added low severity risks related to TLS, including use of insecure cipher suites, common or weak Diffie-Hellman primes, and weak public keys. These will initially be released as provisional with no score impact.
• We’ve made improvements to asset geolocation, now showing the location of the IP address rather than the IP owner.
• This release also includes a number of bug fixes.

Today we’re releasing a new tool called AIEnhance, to help vendors respond faster and more accurately to questionnaires. Powered by AI, this feature is the first of its kind, as it allows vendors to turn short bullet points or rough draft notes into full sentence responses with the click of a button. It can correct grammatical mistakes, remove typos, and improve responses instantly without having to leave the questionnaire.

This feature is now in beta, available to all vendors who have been sent an UpGuard standard questionnaire. It is not yet available on custom questionnaires. We welcome feedback as we continue to make it easier and faster to respond to questionnaires. Learn more about AIEnhance.

Improved IP range presentation

The IP Ranges tab will now only show ranges that are wholly owned by the organization you are viewing. 

Risk for VMWare daemon

We will now raise a high severity risk when the VMWare authentication daemon is publicly exposed, a service that is used in products including ESXi. 

Informational risk for Meta Pixel

We will now raise an informational risk when we detect the Meta/Facebook Pixel. While this technology can be implemented benignly, it has been involved in several data breaches where personal health information was improperly transmitted to Meta via the tracking Pixel. 

Improvements to additional evidence 

Vendor Risk customers now have more flexibility to track additional evidence that is attached to a monitored vendor, with these changes:

• Additional evidence risks are now able to be edited
• New additional evidence document classification types have been added, alongside the ability to add your own custom types

For more information about these changes see  How to capture additional evidence.

Other improvements

• This release includes a number of bug fixes

We’ve improved our scanning, adding new risks to identify software that is past its end-of-life date, including indicating end-of-life date. End-of-life software no longer receives updates, including for security issues. Using this software is extremely risky as it is likely to have vulnerabilities without patches, and those vulnerabilities are often targeted by threat actors.

To see any end-of-life software risks affecting your organization, login to your Cyber Risk account.

Improve visibility of status for Managed Vendors

We’ve added new Service Status and Analyst Notes fields to the Managed Vendors page to help organizations using Third-Party Risk Management Services to easily see the status of their requests. To learn more about these changes and Third-Party Risk Management Services see How to request a managed service.

Other improvements

• This release includes a number of bug fixes

These two features which have been in limited beta are now available to all eligible customers. This release also includes additional Excel exports available across the platform, improvements to questionnaire exports, and more. 

Portfolios for your domains in BreachSight

Asset portfolios provide a way to group your domains together to simplify asset management, enforce access controls, and segment reporting. Portfolios are flexible and configurable, allowing you to group assets however best supports your business—by region, business unit, or other internal structures. Newly discovered subdomains will automatically inherit portfolio membership from their parent, ensuring consistent visibility over dynamic footprints. To learn more see  How to use asset portfolios to segment your domains.

This feature is included in all Professional, Corporate and Enterprise plans. Otherwise, to get access to this feature get in touch with your Technical Account Manager or contact us via support@upguard.com. 

Public Risk waivers

To make it easy for you to share information about compensating controls with UpGuard users in other organizations, you can now share risk waivers that you create with organizations that monitor you as a vendor. To learn more see How to use public risk waivers in Breachsight. 

Vendor Risk users will be able to see if a vendor organization has any public (shared) risk waivers, review them, and choose whether to accept those risk waivers. To learn more see How to use public risk waivers in Vendor Risk.

Excel exports

To make it easier to extract and analyze the information and data you need, we’ve added a number of new Excel exports across the platform. New exports include: 

• Risk profile changes view
• Risk waivers
• Individual remediation requests
• BreachSight and Vendor Risk executive summary
• Subsidiaries

Improvements to questionnaire exports

We’ve made improvements to questionnaire exports to allow inclusion of messages and comments. We’ve also added more fields to questionnaire summary exports to help you track and report on questionnaire activity and status across your vendors. 

Other improvements:

• Updates to risks for non-standard HTTP & HTTPS ports
• This release includes a number of bug fixes

Learn about new features, changes, and improvements to UpGuard this month.

To promote your security rating to your customers and partners, you can easily embed our score badge on your website by clicking Share rating in the top right corner of any BreachSight page within the app. Visit How to add your security rating badge to your website to learn more. 

Public Risk waivers - BETA release

To make it easy for you to share information about compensating controls with UpGuard users in other organizations, you can now share risk waivers that you create with organizations that monitor you as a vendor. To learn more see How to use public risk waivers in Breachsight

Vendor Risk users will be able to see if a vendor organization has any public (shared) risk waivers, review them, and choose whether to accept those risk waivers. To learn more see How to use public risk waivers in Vendor Risk 

This feature is now available to Beta customers. If you would like to get early access, get in touch with your Technical Account Manager or contact us via support@upguard.com. 

Compliance reporting for new ISO 27001 (2022) questionnaire 

Following on from the recent release of the new ISO 27001 (2022) questionnaire, we’ve added a new framework to our compliance reporting to provide an easy way to assess the level of compliance that a vendor has against this standard. To learn more see What is compliance reporting in UpGuard Vendor Risk.

Other improvements

• Bulk IP address labeling – when importing lists of IP addresses, you can attach labels to them.
• This release includes a number of bug fixes.