UpGuard Release Notes

We’ve made a small but meaningful improvement to how you manage vendor risks inside UpGuard. Vendor Risk Waivers lets you waive vendor risks identified through automated scanning, questionnaires, and additional evidence.  

This feature is particularly useful for risks identified through questionnaires. For those that are not aware, when you send a questionnaire through the UpGuard platform we automatically identify risks based on the answers provided by your vendor and ask for compensating control information. 

In the past, you couldn’t use this compensating control information to waive the risk even if you were happy with the information provided. Now you can waive risks and remove them from the vendor’s risk profile if the vendor has adequate compensating controls. 

Vendor Risk Waivers is currently in closed beta. If you would like access, please contact UpGuard support.

Learn how to waive a vendor risk.

Detect vendor data leaks

We’re introducing a new managed service called Vendor Data Leaks. As you may be aware, our team of analysts and proprietary data leak detection engine give us an unparalleled ability to find leaked credentials and exposed data before it gets into the wrong hands. 

Vendor Data Leaks extends these capabilities by monitoring for data leaks at your vendors so you know if they’ve exposed data before it impacts your organization. When our data leak detection engine finds an exposure at your vendor, our analysts review the data, assign a severity, and speak to you to get an appropriate vendor contact. 

Once we have a contact, we’ll work directly with the vendor to remediate the issue and notify you when the exposure has been resolved. ‍

Vendor Data Leaks is currently in closed beta. If you would like more information, please contact UpGuard support. 

Learn more about vendor data leaks. 

Other fixes and improvements

• You can now use the category filter on the risk profile in exports
• Improved design of export modal

Our IP Addresses feature helps you manage your cyber risk by providing an IP-centric view of your organization and its vendors’ attack surfaces. With IP Addresses, UpGuard automatically finds the IP addresses and ranges associated with the DNS records of an organization’s domains, as well as any IPs or ranges that are added manually. In the coming weeks, we’ll further enhance this feature by attributing ownership of IP ranges based on WHOIS data.

If an IP address is associated with at least one domain, UpGuard has already been scanning it during our domain-based analysis of security issues, misconfigurations, and vulnerabilities. As you know, this analysis then feeds into our scoring algorithm which gives the domain a security rating.

As part of this release, we now scan IP addresses that don’t have a DNS record for open ports and other security issues and give those IPs a security rating. Just as you can drill into the underlying issues associated with a scored domain, we surface the underlying security issues associated with these IP addresses, and what we recommend you do to improve your security posture. 

The other major change we’ve made is support for IP ranges. When you add an IP range, UpGuard will periodically scan through the range to discover any new assets. This is an excellent way to reduce the risks associated with shadow IT services as we’ll uncover potentially unknown assets during these scans.

Clicking into an individual IP address will show you the owner, associate IP range, country, autonomous system (AS), autonomous system number (ASN), and any associated domains or risks. Likewise, by clicking into an IP range, you’ll see the owner, country, and number of IPs in the range, as well as any detected IP addresses or domains. Both views can be filtered by services, IP owner, ASN, or IP country.

IP Addresses is currently a beta feature. If you or your team would like to test IP Addresses prior to its official release, please contact us at support@upguard.com.

Learn how to monitor your IP addresses and ranges and see how we can help you monitor your vendor’s IP-based assets here.

Templates for remediation requests, risk assessments, questionnaires, and identity breach notifications

Templates lets administrators set up templates for remediation requests, risk assessments, questionnaires, and identity breach notifications emails sent from the UpGuard platform. 

Using templates is a great way to save time, ensure consistency and uniformity across teams and processes, by reducing mistakes and errors caused by copying and pasting text across documents. 

Templates are available for customers on the Professional bundle and up or as an add-on on lower plans.

Learn how to set up templates

Other fixes and improvements:

• Changed Attestations to Answer Questionnaires in the sidebar to make it easier for new users to know where they need to go to respond to questionnaires

Learn about new features, changes, and improvements to UpGuard this month:

‍Managed Vendors helps you manage your third-party vendor risk. UpGuard analysts assess your vendors and present their findings in a comprehensive report based on the analysis of security questionnaires, compensating control information, public security documentation, and security ratings data. 

Beta users can now see which vendors are managed by UpGuard, request an assessment, and get notified when analysts publish a new assessment from inside the platform. 

Managed Vendors is currently a beta feature. If you are a current Managed Vendors customer or want to learn more about how UpGuard can help you manage your third-party vendor risk, please contact us at support@upguard.com

Learn more about managed vendors and how to use it.

Other fixes and improvements:

• Added support for filtering by individual CVE on the subsidiary risk profile
• Standardized and increased character limits on in-app correspondence
• Risk rating icons and alert colors now match
• Fixed issue causing questionnaires to become unavailable in Vendor Risk Report when new questionnaire was in draft

Learn about new features, changes, and improvements to UpGuard this month:

We’ve updated input fields and buttons styles throughout the platform to ensure consistency. Whether you’re searching for findings on your risk profile, looking for a specific vendor, or filtering vulnerabilities, input fields and buttons should now look, feel, and behave in the same way. This makes it easier for new users to get up to speed quickly and for existing users to learn how to use new features as we release them.

In addition to these changes, we’ve made accessibility improvements to our icons by increasing their clickable area and adding hover states. These improvements mean the platform is easier to use for users with smaller screens or poor eyesight.

Other fixes and improvements:

• Fixed issue where the character limit was longer when creating a remediation request than when editing it
• Fixed issue causing runtime error on large exports
• Domains parked with register.com will now appear as inactive
• Added exception from the non-httpOnly cookie risk for Imperva and Barracuda WAF cookies
• Fixed issue causing remediation request email to not display company name when there are multiple users on the request
• Fixed issue causing remediation request timeline to not display the original requester’s name when multiple users are added to the request

We’re adding support for subsidiaries as a beta feature. This makes it easy to identify common misconfigurations and security issues shared across your organization and its subsidiaries. You can see a tree structure of your organization, click into individual subsidiaries, and dive deep into their risk profile, domains & IPs, vulnerabilities, and even their own subsidiaries. You can also request remediation of identified risks from your subsidiaries.

Examples of things you can do:

• Find security issues shared across your organization and its subsidiaries
• Identify subsidiaries with poor security postures
• Understand your complete security profile from the parent company down to the individual subsidiary.

We hope you’ll find a lot of use for subsidiaries and we think this will make UpGuard work better for many different types of organizations.

If you would like to beta test the subsidiaries feature, please contact us via support@upguard.com or by using the live chat in-app which can be found in the bottom right corner of your screen. Once enabled, subsidiaries will show up under Subsidiaries under the BreachSight section of the sidebar. Click on it to view your subsidiaries and explore the additional functionality that has been released.

How to use subsidiaries to monitor your organization’s attack surface

Dynamic filtering on portfolio risk profile

When you select other filters that impact the list of findings available on your Portfolio Risk Profile, the findings filter now dynamically adjusts to only show the corresponding identified risks. For example, if you choose the risk category Website Risks, the findings will only show those that correspond to that category.

How to filter the portfolio risk profile

Other fixes and improvements

• Fixed issue causing Excel questionnaire exports to not match the UI
• Fixed issue where PDF exports would cut off questionnaire answers if they were too long

You can now leave generic notes about your vendors inside the UpGuard platform without having to upload a file. This means you can drop in any information you need without having to create and upload a separate document.

This could be information about what project the vendor relates to, why the vendor has been engaged, and any other important information like contract dates or SLAs that don’t justify creating and uploading an entire document.

We hope this feature means you can start storing more of your vendor-related information in UpGuard and we can start acting as your central vendor management repository.

Learn how to create notes

Better vendor filtering: NOT operator and unlabelled support

You can now filter your vendors to show any that do not match a particular label (or labels). For example, you can now see all vendors who are NOT labeled with “Customer Data”.

We’ve also added a special label called “unlabelled” which can be used to find all vendors who do not have a label applied or who do have labels if you use the NOT operator.

Learn how to filter your vendors

Other fixes and improvements

• Improved the design of the top of vendor summary pages
• Fixed a UI issue that caused long vendor names to push the close button off-screen in the vendors section in the sidebar
• Improved support for domains parked with GoDaddy, these domains will now appear as inactive
• Fixed bug causing data leaks reporting to display duplicate keywords under some circumstances
• Made changes to remediation requests so that risks will update when domains become active or inactive
• Improved error message for situations where new users try to claim an expired invitation
• Questionnaires and other vendors assets are now stored when you stop monitoring a vendor and will be there if you start monitoring the vendor again
• Fixed UI issue causing risk assessment notifications to be hard to dismiss
• Individual vulnerability notifications can now be dismissed

We have made significant improvements to our scoring algorithm. From time to time, we adjust our scoring algorithm based on new information gleaned from industry trends, research, and customer feedback. It is important to note that our new scoring algorithm may have reduced the security rating of you and your vendors.

Here’s what improvements were made and why:

• Lower scores are weighted more heavily: Ensures poor security on an individual domain or IP address is not “averaged out” by otherwise good security across an organization’s infrastructure. An organization is only as secure as its weakest link.
• Greater emphasis on network security issues: Open ports, while not dangerous on their own, often expose vulnerable services. A great example of this risk is WannaCry, a ransomware cryptoworm that infected more than 300,000 computers by exploiting a zero-day in old versions of a network protocol called SMB. WannaCry was so successful because the SMB port is open by default on many legacy Windows machines.

As part of these improvements, we have combined our brand and reputation risk categories. Brand and reputation are two sides of the same coin and we believe it makes more sense for the underlying risks to fall under the same category.

Please read this article for more information about how you should respond.

Improved design and functionality for vendor reports

We’ve improved the design and functionality of our vendor report.

Based on your feedback, we have reduced the amount of UpGuard branding on the cover page of the report and if you have custom branding enabled, you’ll see reports now include your logo on the cover page.

In addition to these design changes, you can now generate vendor reports from any instant report vendors. These improvements are designed to make the report more accessible and easier to understand for recipients whether they’re internal stakeholders or vendors.

Learn how to generate a vendor report.

Other fixes and improvements

• Changed font from Lato to Inter, a more modern typeface that is consistent with the new UpGuard website
• Fixed issue where switching between category and overall views on risk profile caused waivers and custom domains checkbox to become unticked

We made significant improvements to our emails. The most notable change is that you can now add company branding. Once enabled, your logo will appear at the top of any email sent by us to vendors or internal stakeholders. This makes it easier for recipients to understand who is making the request and will result in less back-and-forth between you and your vendors.

As part of these changes, we’ve also refreshed the design of our emails to make it easier for recipients to know what action they need to take next. This change means faster responses, better engagement, and less time spent chasing up requests.

Learn how to enable co-branding.

Remediation workflow for vulnerabilities

You can now request remediation of verified and unverified vulnerabilities in first and third-party remediation workflows. This is part of our ongoing work to improve our vulnerability management capabilities.

Learn how to request remediation from a vendor.

Export individual identity breaches

You can now export individual identity breaches as a PDF report or to Excel. The PDF report is a great way to communicate the extent of an identity breach to your internal stakeholders without having to invite them to UpGuard.

Learn how to export an identity breach.

Other fixes and improvements

• Improved in-product references to relevant knowledge base articles
• The Vendor Risk executive summary now shows the number of vendors your organization monitors over time
• You can now label your inactive domains and labels will remain when domains transition from inactive to active or active to inactive
• Data leaks reporting now shows all keywords including those with no results
  

We’ve expanded our vulnerability detection and management capabilities by differentiating between verified and unverified vulnerabilities.

As UpGuard scans from outside companies’ networks, there are some vulnerabilities we can confirm (verified vulnerabilities), but others we only know may exist (unverified vulnerabilities). When verified vulnerabilities are detected, you’ll also be able to see them on your, and your vendors’, risk profiles and use them in our remediation and risk waiver workflows.

In addition, you now can ignore unverified vulnerabilities to remove them from the vulnerabilities list. This is different from a risk waiver because you are signaling that the risk doesn’t exist, as opposed to a risk waiver where you are accepting the risk.

To learn how to use our vulnerabilities feature, see our articles on UpGuard BreachSight vulnerabilities and UpGuard Vendor Risk vulnerabilities.

Audit log

Administrators can now see an audit log of important events in the UpGuard platform and who actioned them.

This will allow you to see, for example, who has logged in, who has had their permissions changed, whether an UpGuard employee has viewed your account, when a questionnaire has been sent, when a risk assessment has been published, and much, much more.

Learn about the events tracked through our audit log.

Six new questionnaires

As part of our continued investment in the platform, we’re releasing six new questionnaires:

• COBIT 5 Security Standard Questionnaire: Assesses compliance against the Control Objectives for Information and Related Technologies Framework created by ISACA.
• ISA 62443-2-1:2009 Security Standard Questionnaire: Assesses compliance against the ISA 62443-2-1:2009 standard for industrial automation and control systems.
• ISA 62443-3-3:2013 Security Standard Questionnaire: Assesses compliance against technical control system requirements associated with the seven foundational requirements (FRs) described in IEC 62443-1-1.
• GDPR Security Standard Questionnaire: Assesses compliance against the personal information disclosure requirements outlined in the European Union's General Data Protection Regulation (GPDR).
• CIS Controls 7.1 Security Standard Questionnaire: Assesses compliance against the best practice guidelines for cybersecurity outlined in 20 CIS Controls.
• NIST SP 800-53 Rev. 4 Security Standard Questionnaire: Assesses compliance against the security and privacy controls required for all U.S. federal information systems except those related to national security.

Other fixes and improvements

• We’ve broken up Documents & Contacts into two separate pages (Documents and Contacts)
• Documents now includes all file-based evidence for a vendor and is categorized by source: general documents, additional evidence, or questionnaire responses
• Documents added as additional evidence are now available in the vendor’s Documents & Contacts
• Prioritized typosquatting results to first show homogylphs with only one substitute character and where characters look similar to the original domain.
• UpGuard analysts can now redact a sensitive URL on a data leaks finding
• Improved the readability of cookie-based automated scanning results
• Added parked domain detection for registrar CSC
• Fixed an issue where users on Chromebooks couldn’t upload files
  

We added a new downloadable report to UpGuard. Now you can generate a report that outlines the security posture of any monitored vendor and share it. Reports can be configured to include automated scanning, questionnaires, and additional evidence, or be based on completed risk assessments. It’s also a nice way to introduce UpGuard to your colleagues, board members, or vendors without having to invite them to the platform.

We also added context around each identified risk and remediation recommendations that can be used to drive decision-making, speed up vendor due diligence, and drive remediation efforts.

Learn how to generate a vendor report

Additional evidence

At the start of August, we released additional evidence to select customers. Since then we have improved the functionality. We’re excited about this as it enables many of you to capture risks identified in documents that your vendors have proactively published to their websites. Starting today, additional evidence is available for all UpGuard VendorRisk users and we’ll keep improving it over time.

Learn how to capture additional evidence

Other fixes and improvements

• Reports can now be archived and deleted
• Added search to reports page
• Improved search and filter functionality to support renamed vendors
• Increased max vendor name length from 50 characters to 150 characters
• Fixed bug when extracting risks from completed questionnaires
• Several fixes to read-only users including removing their ability to dismiss notifications