UpGuard Release Notes

We've released a new feature called additional evidence in closed beta that will roll out to the entire user base in two weeks. If you would like access now, please get in touch.

While we recommend you use UpGuard's security questionnaires and automated scanning tools to assess your vendors, in some situations you may need to capture additional evidence about a vendor.

For example, you may send a questionnaire to a large SaaS vendor only to be directed to a page on their website that hosts complete security questionnaires, audit reports, and certificates. These documents provide insights into the vendor's security posture and attack surface.

Additional evidence allows you to capture and store this security or compliance-related documentation and associate any identified risks. Once identified, you can choose to include these risks in the vendor's risk profile, and cite them as part of a risk assessment.

Learn how to capture additional evidence here.

Other improvements and fixes

• Data leaks customers can now see search results from the dark web and Google searches

A common misconfiguration for WordPress sites is to expose the names of users. We now display the actual user list in the UpGuard platform when this risk is detected.

Additionally, we now explicitly check for old versions of WordPress that have known vulnerabilities that can be exploited.

Other improvements and fixes

• You can now retrieve the current set of risks from a vendor via our API.
• Risks are now prepopulated when you request remediation through the Portfolio Risk Profile.
• Questionnaire due dates can now be changed. If you want to change a questionnaire's due date, click on the questionnaire, click the "actions" button, and then click "Set due date".
• You can now export to PDF and Excel in more places.
• When you have filters active and export data to PDF, the PDF that is generated will now display the filters you used.
• The check for certificates that are about to expire now triggers when a certificate is within 20 days of expiring, rather than 30. This change is designed to reduce the number of false positives as some popular certificates (like LetsEncrypt) can be set to automatically renew when there are less than 30 days to expiry.

In addition to our API, UpGuard uses webhooks to notify other applications when an event happens in your account. This could be when an identity breach or data leak is detected, the security rating of a vendor drops below a threshold, or when a user requests access to your Shared Profile.

Our improved webhook integration allows you to customize the payload you send to the webhook. This means you can push data into our systems without having to support our default payload format.

If you’re an UpGuard account admin, you can set up new and configure existing webhook integrations from Account Settings -> Integrations, or by clicking here.

If you need a hand setting up your first integration, please read our article on how to integrate UpGuard with other services.

Vulnerabilities are now available through our API

The UpGuard API now lets you return the list of vulnerabilities detected for your organization and your vendors. Click here for details.

Other improvements and fixes

• When you filter your vendor portfolio based on labels you can now choose whether you want to see vendors that match any of the labels applied or restrict the results to only vendors who have all labels applied.
• You can now export from the "Vendors" page in Excel and PDF formats

We're releasing a new feature for our Data Leaks customers called Data Leaks Reporting. It provides detailed analytics on the keywords you have provided us.

You'll be able to see which research results were classified as safe (by our algorithms or analysts), and which resulted in findings.

Please note: This feature will be rolled out over the coming week. In the meantime, be sure to check out our knowledge base article on Data Leaks Reporting.

If you are a current UpGuard customer and are interested in the Data Leaks module. Please contact your Technical Account Manager or click the chat widget in the lower right corner of your screen.

UpGuard Vendor Risk

We've made some enhancements to the export functionality of Portfolio Risk Profile. You'll now notice that when you export data it will include the details of the specific risks identified at each vendor.

Read our knowledge base article on how to export from the Portfolio Risk Profile for more information.

UpGuard BreachSight

We've also improved the export functionality of Vulnerabilities. When you export vulnerabilities, we now include the description of the CVE in the export.

If you would like to learn more about our Vulnerabilities module, read our knowledge base article here.

We've made it easier to control who has access to your Shared Profile. You can now choose to give access to any registered UpGuard user or only to people you explicitly approve.

For context, a Shared Profile makes it easier to respond to security queries by allowing you to proactively publish information, such as completed security questionnaires or a SOC 2 report, alongside your security rating.

This saves your team time by allowing you to share vital information for potential and current customers without having to respond to the same questions over and over.

If you haven't contacted us to enable the Shared Profile functionality and would like to use it, please do so via support@upguard.com or via the chat widget in the bottom right-hand corner of your screen.

And if you'd like to configure your company's Shared Profile or access level, you can do so from the "My Shared Profile" page.

Go to My Shared Profile

Improved knowledge base

To help you and your team get up to speed with existing and new features inside the UpGuard platform - we're rolling out a new knowledge base.

If you want us to explain how to use any of our features or what we consider best practices, please reach out to us and we'll do our best to accommodate.  

Go to the UpGuard Knowledge Base

We’ve released a new feature for UpGuard Vendor Risk customers called Portfolio Risk Profile. Explore this feature in the UpGuard platform.

It allows you to view the overall risk profile of your vendor portfolio in a single place. For example, you can filter down based on specific risks (e.g. open FTP port) or see all the risks associated with vendors that are labeled as “in-use”.

You can read more about what the Portfolio Risk profile is here, learn how to use its filter functionality here, and learn how to export data here.

In other news, you can now filter Executive Summary Reports across UpGuard Vendor Risk and UpGuard BreachSight.

You can filter by label or score range in the UpGuard Vendor Risk Executive Summary and by label in the UpGuard BreachSight Executive Summary. To apply a filter, click on the “Apply filters” button in the top right-hand corner of your screen.

We’re also investing in our user interface to ensure the UpGuard platform remains consistent, deliberate, and easy to use. Expect more improvements over the next few weeks.

UpGuard Vendor Risk

In summary:

• Released the Portfolio Risk Profile
• Added filtering for UpGuard Vendor Risk Executive Summary
• Improved the UI

UpGuard BreachSight

We’ve improved our typosquatting module. It now checks for permutations based on other top-level domains. For example, if you are monitoring “example.com” we will now return permutations such as “example.net”

In summary:

• Improved typosquatting module
• Added filtering for the UpGuard BreachSight Executive Summary
• Improved the UI

We’ve greatly improved the report export functionality across the UpGuard platform. You can now export your own or a vendor’s risk profile to Excel. The Excel file contains a row for each combination of risk and domain / IP.

You’ll also notice that reports reflect any filters you have in place, such as label-based or score-based filtering. To try this out, log in to the UpGuard platform > go to your Risk Profile > apply a filter > click export.

You’ll see there is an option to apply active filters, as well as to export to PDF or Excel.

Additionally, we’ve made some changes to how we report on and classify domains and IP addresses across both UpGuard Vendor Risk and UpGuard BreachSight:

• When a domain or IP is removed (from a vendor’s infrastructure or your own), you will now see a corresponding event in the “changes” view.
• Domains with open ports are now classified as “active” to better reflect an organizations attack surface. Prior to this, domains with open ports but no website or email configuration were classified as “inactive”.
• Parked domains at several registrars are now considered “inactive”. If you have parked domains that do not appear inactive, please contact UpGuard Support and we can set them as “inactive”.

We also made a small change to our scoring engine. The "HTTP still accessible" check will now fail for domains that respond with a 4xx/5xx HTTP status code over plain HTTP. Previously only sites responding with 200 failed this check.

UpGuard Vendor Risk

We’ve made UpGuard Vendor Risk specific improvements:

• Domains and IPs are now viewable from Risk Assessments. This means when you conduct a risk assessment on a vendor, you can use the list of Domains and IPs monitored by UpGuard, as well as their associated risks, as part of the evidence for that assessment.
• We’ve made some improvements to how we collect fourth-party information for our Concentration Risk and Supply Chain modules. If you would like to know more about these modules, please contact UpGuard Support.

UpGuard BreachSight

We’ve made UpGuard BreachSight specific improvements:

• The Identity Breaches API now includes the data classification for each branch, such as whether it contains passwords, PII, or other sensitive information.
• Vulnerability alerts are now grouped into a single email. This means if you enable email notifications for new CVEs discoveries, we will only send you one email per day that outlines all impacted domains and IPs. You can manage your notifications by clicking here.

We've made some changes to how we are structuring the sidebar in the UpGuard CyberRisk. The Executive Summary is now split into two separate pages:

• UpGuard Vendor Risk Executive Summary
• UpGuard BreachSight Executive Summary

This better reflects the nature of the data contained in each page and ensures there is a consistent separation between UpGuard Vendor Risk and UpGuard BreachSight. Additionally, we've reordered some other menu items to improve usability.

Other product-wide improvements in this release include:

• Deeplinking. If you click an UpGuard link, such as an email notification, and are not logged in, after logging in you will be redirected to the page you were trying to access
• Category scores. We've improved our API and have made category scores available through the Vendor List API endpoint
• Revoked certificate check. This is a new check part of our automated scanning

UpGuard Vendor Risk improvements

We've improved the ability to drill down into specific details on the UpGuard Vendor Risk Executive Summary, you can now:

• See which vendors fall within each score range in Current Risk Ratings Breakdown
• Navigate to the details of a specific vendor in Highest and Lowest Rated Vendors
• See what products your vendors are using in Supply Chain Risk Section

Additionally, we've now:

• Display supported file types on the Documents and Contacts page.
• Have a new app or email notification type for when a Risk Assessment is published. If you would like to receive these notifications, head to the Notifications page.

UpGuard BreachSight improvements

We've improved the UpGuard BreachSight Executive Summary by:

• Allowing you to add up to ten competitors to Competitor Analysis

Additionally, we've made a few small improvements:

• Risk Profile and Risk Waiver pages now fall under UpGuard BreachSight

Over the next week, we'll be rolling out a change to how we display domains and IPs in the UpGuard platform.

Going forward, we will display inactive domains and IPs across your own infrastructure and that of your vendors. We previously only reported on active domains and IP, e.g. ones running a website or with MX records. We track many more domains than what appears in the active section and now provide a way for you to view these.

UpGuard Vendor Risk improvements

We’ve also improved the design and usability of our new Risk Assessment feature, making it easier to create and read risk assessments. As always, if you’d like to try the feature please let us know via support@upguard.com.

And if your account is configured to factor in questionnaire scores into the overall score of a vendor, you will now see a breakdown of the score on their risk profile and vendor summary page.

In short, we now show the total score, questionnaire score, and score based on automated scanning.

UpGuard BreachSight improvements

We’ve added new functionality and data to the Identity breaches module:

• You can now send email notifications to those who are exposed in third-party data breaches. This is a good way to remind staff about the appropriate use of work email accounts, discourage staff from reusing passwords, or to remind people to change their passwords.
• Breaches can now be archived once you have processed them, e.g. once you’ve notified impacted employees.
• Our data set of breaches now includes additional breaches that were discovered by the UpGuard Cyber Research team.

We launched a new feature called Risk Assessment. This feature is currently available on request, if you would like access please email support@upguard.com.

Risk Assessment allows you to:

• Specify the evidence you reviewed as part of the assessment (including questionnaires and automated scan results)
• Document your findings based on this evidence
• Record who conducted the assessment
• Export the assessment as a PDF
• Make the assessment visible within the app to all the users of your account

UpGuard Vendor Risk improvements

We've also released two Pandemic questionnaires designed to help you assess your vendors' readiness to deal with the current pandemic, as well as improved PDF report generation.

When you export information to PDF, it will now appear in the sidebar under a new menu item called "Reports". This also fixes the bug where generating reports for large vendors would sometimes time out.

UpGuard BreachSight improvements

We've added an API that returns information about your company's identity breaches, made it easier to tell which domains and IPs you've added manually, and pushed quite a few bug fixes and minor tweaks.

New Vendor Summary: When you look up a vendor, the first page you see is now a new Vendor Summary. This provides a management-level view of the vendor, and can also be exported as a pdf.

Other improvements

• Enhanced Risk Profile: We’ve made a number of improvements to the Risk Profile page, including the ability to filter by risk category (e.g. website risks, email risks, etc.)
• Websites & APIs is now called Domains and IPs
• Greatly enhanced port scanning: We now explicitly check for nearly 200 services running across thousands of ports. We also report any services that we can’t identify, and any open ports where no services are detected.
• We’ve made some changes to our scoring algorithm: Updated email security checks: this includes a new check for the DMARC policy (which fails if p=none). For information on email security, see https://www.upguard.com/blog/email-security
• Improved checking for open ports/services: As part of enhancing our port scanning capability, we have reviewed and updated the severity of risks associated with open ports/services. The HSTS checks now include a check against the Chromium preload list. If a domain is on the preload list, all HSTS checks pass for that domain and all its subdomainsUpdated domain status checks for .au domains: We no longer check for clientTransferProhibited or serverRenewProhibited on .au domains, as they are not applicable
• Changes to open ports can now be reflected in CyberRisk sooner, by pressing the “RESCAN” button. When a port is closed, manually requesting a rescan of the website will now detect the change to the port sooner (usually within a day).
• WHOIS lookup within Typosquatting: When you view a registered permutation of a domain you are monitoring for typosquatting, you can now see that permutation’s WHOIS information
• New Questionnaires: We have added questionnaires for PCI DSS, CPPA, and Modern Slavery.

• Export Vulnerabilities: You can now export the list of vulnerabilities
• Better domain discovery: We’ve made further improvements to our domain discovery engine, which results in more domains and subdomains being discovered.
• Various usability tweaks and bug fixes