UpGuard Release Notes

We’ve added the ability to allow users to reduce the criticality of a risk based on compensating control/information provided by the vendor, making it easier for you to manage vendor risks within the platform. In this release we’ve made this available for risks raised from questionnaires, and will be extending this capability for scanning and additional evidence risks in future releases.

To learn more see How to adjust the severity of a risk.

Automation of tiers, labels, portfolios and custom attributes

Vendor Risk customers on our Professional, Corporate, and Enterprise plans can now say ‘goodbye’ to the time-consuming manual work of classifying vendors. Our automation feature allows you to set up rules that trigger when a relationship questionnaire is returned, automatically populating the vendor’s attributes with information gathered in the relationship questionnaire.

Not only does this save time and reduce manual repetitive tasks, it is useful in codifying your vendor classification processes, so you know that the information you’re storing is accurate and consistent. 

To learn more see How to use automation to apply tiers, labels, portfolios and custom attributes to your vendors.

Other improvements

• We’ve made some improvements to risk assessments including making changes to ensure commentary edits are carried over between versions and on re-assessment
• This release also includes a number of bug fixes

We’ve added the ability to create a shortlist of key risks as part of a risk assessment, allowing you to highlight important risks and those requiring follow-up. You can choose to include only key risks as part of your risk assessment report,  in lieu of displaying the full list of risks. To learn more see How to complete a risk assessment. 

API flexible permissions

We’ve revised API permissions to allow a finer-grained set of permissions and visibility:

• Added a Read/Read&Write flag to allow a given API key to only access GET functions or to be able to access GET/PUT/POST and DELETE functions.
• Expanded on the current Data Leaks permission to allow an API key to be defined by role.
• To protect existing integrations all existing API Keys will be granted full access. The new model will only relate to keys generated after this release.

To learn more see UpGuard’s API documentation.

Vendor monitoring API changes

We’ve created specific API endpoints to start monitoring and stop monitoring a vendor. This allows us to follow more established and consistent API design practices as well as restrict the monitoring to only those API Keys that have Vendor Risk Read&Write permissions. In subsequent releases, we will deprecate the “start_monitoring” flag in the /vendor API endpoint and remove that feature:

• Vendor ID or Primary Host Name) to the list of monitored vendors. This supports the same functionality as our existing /vendor API when start_monitoring = true, such as:

         - The ability to apply labels and tiers; 

          - A wait for a scan feature that scans the vendor before returning the results; 

          - Checks on UpGuard licenses maximum Vendor counts.

• /vendor/unmonitor – A new endpoint that will remove the specific vendor (based on Vendor ID or Primary Host Name) from the list of monitored vendors.

To learn more see UpGuard’s API documentation.

SysAid vulnerability detection

We’ve added detection for the SysAid product, its version, and associated vulnerabilities, notably CVE-2023-47246 being exploited by the Clop group.

Other improvements

• This release includes a number of bug fixes.

We’ve made it easier for you to manage risks you have raised for additional evidence documentation by adding the ability to request remediation from your vendors. To learn more see How to capture additional evidence.

Edit Lock-out for completed questionnaires

To give customers more control over their assessment process we’ve added a feature to be able to prevent vendors from updating completed questionnaires. The default behaviour will be to prevent vendor updates to completed questionnaires, but this can be easily controlled at an account level by the Allow changes to completed questionnaires toggle in Questionnaires settings.

Other improvements

• New fields have been added to Vendor Details API including: risk assessment status, last assessment date, portfolios and notes
• This release includes a number of bug fixes

SIG Lite questionnaire added to library

The Shared Assessments Standardized Information Gathering (SIG) Lite questionnaire has been added to our questionnaire library. SIG Lite is designed to provide a broad, high-level understanding of a third party's internal information security controls. Like our other questionnaires SIG includes incorporated cybersecurity ratings, automated risk detection and is integrated with standard questionnaire workflows. To learn more, see Questionnaire Library.

Improved risk assessments 

We’ve made improvements to the risk assessment workflow to make it more intuitive and flexible including:

• The ability to add comments to individual risks in risk assessments, making it easier to capture all your risk management activity within the platform.
• Improvements to the commentary section, with a more flexible template that is divided into sections, giving you more flexibility to present the risk assessment report according to your needs.
• Addition of more merge tags to pre-fill vendor information including scores, tiers and attributes, so you can generate comprehensive pre-filled commentary for your risk assessment.

These improvements have been available in limited release, and are now generally available to all Vendor Risk customers. To learn more see Using the risk assessment framework in UpGuard.

Show date when domains/IPs are first detected

Maintaining control of your asset inventory requires knowing when new sites first become publicly accessible. To help with this we now show the date the domain was first scanned on the domain or IP address details panel.

New workflow to request additional evidence documents

To assist with vendor risk assessments, we have made the process of collecting additional evidence documents (such as certifications and other security documentation) easier by adding a workflow to request additional evidence documents directly from vendors. Vendors can load documents directly to the platform, avoiding having to request and upload those documents outside the platform. To learn more see How to capture additional evidence.

Other improvements

• We’ve added an unverified vulnerability and compromise detection for Cisco IOS XE CVE-2023-20198.
• We’ve added a column on the Typosquatting page to allow users to sort by creation date. When a permutation has been registered more recently, it can be an indicator that it is more likely a threat.
• We’ve built more flexibility into the questionnaire builder, allowing you to add custom numbering to your questionnaire. To learn more see How to use the questionnaire builder.
• This release also includes a number of bug fixes.

• We added detection for CVE-2023-22515, a vulnerability in Atlassian Confluence that has been actively exploited to add administrators to hosted Confluence instances. 
• To add visibility into less highly publicized but still commonly exploited vulnerabilities, we’ve also added detections for over 200 WordPress plugins known to have vulnerabilities in some versions. 

Other improvements

• This release includes a number of bug fixes
• We’ve enhanced the Vendor Details API to add Score Breakdown, Score Trend, Risk Counts, Automated Scanning Counts, and Attributes

Learn about new features, changes, and improvements to UpGuard this month.

We’ve made some improvements to make it easier for you to track and manage Identity Breaches. We’ve improved filtering so you can now filter the list of breaches by severity, specific data types exposed, number of people involved, and date. This follows on from recent changes to assign an identity breach to users within your organization, and add comments to the breach to track your progress and activity. 

To learn more see How to collaborate on Identity Breaches.

Improved risk assessments including pre-filled commentary template - now in BETA

We’ve made improvements to the risk assessment workflow to make it more intuitive and flexible including:

• Improvements to the commentary section, by providing a more flexible template, divided into sections to give you more flexibility to present the risk assessment report according to your needs.
• Addition of more merge tags so you can pre-fill vendor information including scores, tiers and attributes so you can generate comprehensive pre-filled commentary for your risk assessment.

To learn more see How to use the vendor risk assessment framework (BETA).

These improvements are now available in limited release to our BETA customer group. Talk to your account manager if you would like to get early access to these features.

Configure risk visibility for questionnaire recipients

Vendor Risk customers now have the option to disable risks from questionnaires, or configure how the risk is shown to the vendor. This allows greater flexibility in both custom questionnaires and UpGuard template questionnaires. To learn more see How to configure risk visibility within questionnaires.

Other improvements

• Additional vulnerabilities. We’ve added support for detecting the version and associated vulnerabilities for many more products. 
• Schedule a report for generation using the public API. Report types supported are Board Summary Report, Board Summary Presentation, BreachSight Summary, BreachSight Detailed, VendorRisk Executive Summary, Vendor Summary, Vendor Detailed. Generated reports can be retrieved through the use of supplied email address(es), a webhook URL or via a secondary API call to obtain a download URL.
• This release also includes a number of bug fixes

The launch of our AI Autofill tool makes it faster and easier for your vendors to respond to security questionnaires, delivering accurate, high-quality results. AI Autofill utilizes the recipient’s past questionnaire responses to make smart suggestions, allowing them to spend less time on painful, manual copy-and-paste processes, and more time focusing on fine-tuning responses and improving their answer repository. Find out more about How to use AI Autofill and our AI Toolkit.

Improved ability to collaborate on identity breaches

We’ve made it easier to collaborate and resolve identity breaches. You can now assign an identity breach to users within your organization, and add comments to the breach to track your progress and activity. To learn more see How to collaborate on Identity Breaches.

Scoring change to TLS and End of Life software risks

We’ve adjusted the impact of risks for end-of-life software products and additional TLS validation. These risks were previously provisional, and have now been updated with a score impact that reflects the risk they pose.

Other improvements

• We’ve improved the risk assessment framework to better reflect that they are a point-in-time assessment. Questionnaires and other evidence used in risk assessments are now snapshotted, and will not be affected by any activity that happens after the risk assessment. 
• We’ve released a new version of our ServiceNow Third-Party Risk Management integration, certified for the upcoming Vancouver release. 
• This release includes a number of bug fixes.

We’ve made it easier for you to convert documents included with questionnaires and general documents into additional evidence. This allows you to easily classify and add risks to these documents, and use them as part of your vendor risk assessments. To learn more see How to capture additional evidence.

Detection of Citrix ShareFile and Ninja Forms WordPress plugin amidst active exploitation 

Citrix ShareFile has been targeted by attackers to exploit CVE-2023-24489. We now identify which sites are running ShareFile so you can ensure they have been updated to the current version. We also identify sites using the Ninja Forms WordPress plugin, which is being targeted via CVE-2023-37979, CVE-2023-38386, and CVE-2023-3839.

Vulnerability detection for many JavaScript libraries

Our JavaScript vulnerability detection has been extended to include Bootstrap, Chart.js, Handlebars, and many other popular libraries to ensure that websites you depend on aren’t affected by frontend vulnerabilities.  

Other improvements

• This release includes a number of bug fixes
• Improvements to collection of dark web posts will capture more breach announcements

This feature makes populating vendor attributes instant and easy. You’ll now be able to automatically apply tiers, labels, portfolios or custom attributes to your vendors, based on answers collected from an internal relationship questionnaire. With flexible logic and the ability to create simple or complex automation rules, this feature reduces the manual effort required to collect and store information about your vendors, and makes it easy to apply consistent logic across your entire vendor portfolio. 

Automation will be available to Vendor Risk customers on Professional, Corporate and Enterprise plans, and is currently being rolled out to a closed beta release group. To join the beta, get in touch with your Customer Success representative. 

New vulnerability detections added

• We now detect the actively exploited Ivanti / MobileIron vulnerabilities  CVE-2023-35078, CVE-2023-35081, and CVE-2023-35082.
• We also detect two Wordpress plugins that are being actively exploited, Advanced Custom Fields and Essential Addons for Elementor. 
• Unverified vulnerabilities have been added for websites using AngularJS. 

Other improvements

• Vendor Risk customers can now archive shared questionnaires and additional evidence, to keep your questionnaires view up to date and free of clutter. 
• This release also contains a number of bug and performance fixes

You can now create and save custom report templates in the Reports Library, including the ability to add custom commentary and configure which elements to include in your report. Templates can then be used by you and others in your organization to run custom reports. 

We have also made some further improvements to the report Library display and navigation to make it quicker and easier to find and run the reports you need.

The navigation improvements and the ability to customize reports is available to all users, but the ability to save custom templates for re-use is limited to customers on Professional plans and above. 

To learn more about custom reports see How to create a custom report template.

New Vulnerability detections added

• We now detect jQuery vulnerabilities. These are based on the version of the library in use, and are marked as unverified vulnerabilities with no score impact.
• Added detections for new vulnerabilities in Atlassian Bamboo (CVE-2023-22506) and Confluence (CVE-2023-22505, CVE-2023-22508). 
• Improved version detection for Citrix Gateway and ADC vulnerabilities CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467. These vulnerabilities are also known to be exploited and should be investigated if detected. 

Other improvements

• Improvement to questionnaire builder to allow for optional free text field to be added against single-select and multi-select (radio/checkbox) questions 
• This release includes a number of bug fixes

This release we’ve introduced a new bulk upload tool for additional evidence in Vendor Risk. Adding additional evidence is vital to maintaining an accurate view of your vendors—and a huge time-saver when it comes to performing faster risk assessments without the need for lengthy questionnaires. Learn more about additional evidence. 

UpGuard’s integration is now compatible with ServiceNow’s latest version

For customers utilizing our ServiceNow integration, you can rest assured that it is compatible with the Utah version of ServiceNow, as well as previous versions Tokyo and San Diego. 

Other improvements

• This release includes a number of bug fixes