UpGuard Release Notes

This release includes expanded sources for reputation risk detection, improvements to reporting templates, as well as additional evidence enhancements and more. 

Improvements to reputation risk detection

This release includes expanded sources for reputation risk detection, to ensure your assets are better protected against malicious actors. We’ve improved a number of areas, including detection of domains and IPs that are communicating with command and control servers, suspected of brute force login attempts, conducting unsolicited scanning, distributing malware, and hosting phishing sites. These improvements also provide visibility of when a domain or IP has been mistakenly flagged on one of the reputation lists, and allow corrective action to be taken.

UpGuard collects reputational risk data from a variety of sources. We include the source of the data in the risk’s “actual” value so that you have transparency into the information being used.

Board summary report now available as a PowerPoint presentation

Fans of our board summary reporting template will rejoice, as you can now download this report as an editable PowerPoint document for easy customization and sharing. 

Other improvements

• It is now easier to see when you’ve saved documents against your vendors that might help in your assessment of them—like a SOC2 report, or ISO 27001 certificate. You can now add  “Evidence” and “Questionnaires” columns to the Vendors page, and filter by additional evidence and questionnaire types. 
• There is now an informational risk present for use of TikTok Analytics.

Learn about new features, changes, and improvements to UpGuard this month.

We have made several improvements to BreachSight reports in this release, including the addition of a new subsidiary report.

• BreachSight report: we’ve improved visualizations as well as added flexibility to build custom reports and add custom commentary.
• Organizations that include subsidiaries: the new subsidiary report allows you to run a detailed risk report for your organization and its subsidiaries and compare the performance of subsidiaries over time. 

To learn more about the changes see How to generate a BreachSight report and How to generate a BreachSight Subsidiaries report.

Other improvements

• Improvements to Vendor Risk Waivers allowing increased flexibility to select and edit domains/IPs or questionnaires included in the risk waiver. 
• Enhanced filters for questionnaires. With these new filters, you can easily sort through shared assets based on their status, making it even easier to keep track of all important documents and information provided by your vendors.
• A new Post Breach questionnaire type is now available in the Questionnaire Library. This questionnaire is designed to be sent to a vendor following a breach.
• This release also includes a number of bug fixes.

In this release we have made a number of improvements to Vendor reports and the Board summary report. These include improved visualizations as well as increased flexibility to build custom reports and add custom commentary. To learn more about the changes see How to generate a vendor report and How to generate a board summary report.

Other improvements

• Scheduled reports which were previously only available for higher plans are now available to all customers. To learn more see What are recurring reports.
• We’ve improved the custom vendor attributes feature to allow multi-select set lists. To learn more about how to use custom vendor attributes to store information about your vendors see How to use custom vendor attributes.
• We’ve made a change to make it clearer to vendors that a questionnaire has been archived, preventing vendors from editing them. 
• We’ve made some improvements to the recently released Questionnaire changes view feature to make navigating to see changes even easier. To learn more see How to compare responses using the Questionnaire Changes View.
• We’ve added low severity risks related to TLS, including use of insecure cipher suites, common or weak Diffie-Hellman primes, and weak public keys. These will initially be released as provisional with no score impact.
• We’ve made improvements to asset geolocation, now showing the location of the IP address rather than the IP owner.
• This release also includes a number of bug fixes.

Today we’re releasing a new tool called AIEnhance, to help vendors respond faster and more accurately to questionnaires. Powered by AI, this feature is the first of its kind, as it allows vendors to turn short bullet points or rough draft notes into full sentence responses with the click of a button. It can correct grammatical mistakes, remove typos, and improve responses instantly without having to leave the questionnaire.

This feature is now in beta, available to all vendors who have been sent an UpGuard standard questionnaire. It is not yet available on custom questionnaires. We welcome feedback as we continue to make it easier and faster to respond to questionnaires. Learn more about AIEnhance.

Improved IP range presentation

The IP Ranges tab will now only show ranges that are wholly owned by the organization you are viewing. 

Risk for VMWare daemon

We will now raise a high severity risk when the VMWare authentication daemon is publicly exposed, a service that is used in products including ESXi. 

Informational risk for Meta Pixel

We will now raise an informational risk when we detect the Meta/Facebook Pixel. While this technology can be implemented benignly, it has been involved in several data breaches where personal health information was improperly transmitted to Meta via the tracking Pixel. 

Improvements to additional evidence 

Vendor Risk customers now have more flexibility to track additional evidence that is attached to a monitored vendor, with these changes:

• Additional evidence risks are now able to be edited
• New additional evidence document classification types have been added, alongside the ability to add your own custom types

For more information about these changes see  How to capture additional evidence.

Other improvements

• This release includes a number of bug fixes

We’ve improved our scanning, adding new risks to identify software that is past its end-of-life date, including indicating end-of-life date. End-of-life software no longer receives updates, including for security issues. Using this software is extremely risky as it is likely to have vulnerabilities without patches, and those vulnerabilities are often targeted by threat actors.

To see any end-of-life software risks affecting your organization, login to your Cyber Risk account.

Improve visibility of status for Managed Vendors

We’ve added new Service Status and Analyst Notes fields to the Managed Vendors page to help organizations using Third-Party Risk Management Services to easily see the status of their requests. To learn more about these changes and Third-Party Risk Management Services see How to request a managed service.

Other improvements

• This release includes a number of bug fixes

These two features which have been in limited beta are now available to all eligible customers. This release also includes additional Excel exports available across the platform, improvements to questionnaire exports, and more. 

Portfolios for your domains in BreachSight

Asset portfolios provide a way to group your domains together to simplify asset management, enforce access controls, and segment reporting. Portfolios are flexible and configurable, allowing you to group assets however best supports your business—by region, business unit, or other internal structures. Newly discovered subdomains will automatically inherit portfolio membership from their parent, ensuring consistent visibility over dynamic footprints. To learn more see  How to use asset portfolios to segment your domains.

This feature is included in all Professional, Corporate and Enterprise plans. Otherwise, to get access to this feature get in touch with your Technical Account Manager or contact us via support@upguard.com. 

Public Risk waivers

To make it easy for you to share information about compensating controls with UpGuard users in other organizations, you can now share risk waivers that you create with organizations that monitor you as a vendor. To learn more see How to use public risk waivers in Breachsight. 

Vendor Risk users will be able to see if a vendor organization has any public (shared) risk waivers, review them, and choose whether to accept those risk waivers. To learn more see How to use public risk waivers in Vendor Risk.

Excel exports

To make it easier to extract and analyze the information and data you need, we’ve added a number of new Excel exports across the platform. New exports include: 

• Risk profile changes view
• Risk waivers
• Individual remediation requests
• BreachSight and Vendor Risk executive summary
• Subsidiaries

Improvements to questionnaire exports

We’ve made improvements to questionnaire exports to allow inclusion of messages and comments. We’ve also added more fields to questionnaire summary exports to help you track and report on questionnaire activity and status across your vendors. 

Other improvements:

• Updates to risks for non-standard HTTP & HTTPS ports
• This release includes a number of bug fixes

Learn about new features, changes, and improvements to UpGuard this month.

To promote your security rating to your customers and partners, you can easily embed our score badge on your website by clicking Share rating in the top right corner of any BreachSight page within the app. Visit How to add your security rating badge to your website to learn more. 

Public Risk waivers - BETA release

To make it easy for you to share information about compensating controls with UpGuard users in other organizations, you can now share risk waivers that you create with organizations that monitor you as a vendor. To learn more see How to use public risk waivers in Breachsight

Vendor Risk users will be able to see if a vendor organization has any public (shared) risk waivers, review them, and choose whether to accept those risk waivers. To learn more see How to use public risk waivers in Vendor Risk 

This feature is now available to Beta customers. If you would like to get early access, get in touch with your Technical Account Manager or contact us via support@upguard.com. 

Compliance reporting for new ISO 27001 (2022) questionnaire 

Following on from the recent release of the new ISO 27001 (2022) questionnaire, we’ve added a new framework to our compliance reporting to provide an easy way to assess the level of compliance that a vendor has against this standard. To learn more see What is compliance reporting in UpGuard Vendor Risk.

Other improvements

• Bulk IP address labeling – when importing lists of IP addresses, you can attach labels to them.
• This release includes a number of bug fixes. 

In this release we have added a new feature to store Trust and Security page links against each vendor organization, making it easier to source and access publicly available security information to perform risk assessments.

• We have added more than 4,000 links for relevant trust and security pages to the profiles of our most highly-monitored vendors. 
• Any organization that has a Shared Profile in UpGuard can add additional relevant links to their own profile, making them available to other organizations assessing them in the UpGuard platform.
• Vendor Risk users can also add links to the profile of any organization they are monitoring to use in their own vendor assessments.

To learn more see How to use Trust and Security pages in UpGuard.

Score change for public headers

The risks for security headers introduced in November 2022 have now been updated from unscored provisional risks to risks with score penalties applied. The penalties for these risks are averaged into the scoring algorithm, so there will be an equal number of domains that incur a score decrease as see a score increase, depending on whether they have implemented these controls at a lower or higher rate than average. You will see an indicator on the Risk Profile timeline so that changes in scores can be attributed to the introduction of penalties for these risks.

Portfolios view for your domains in BreachSight, now in beta

Asset portfolios provide a way to group your domains together to simplify asset management, enforce access controls, and segment reporting. Portfolios are flexible and configurable, allowing you to group assets however best supports your business—by region, business unit, or other internal structures. Newly discovered subdomains will automatically inherit portfolio membership from their parent, ensuring consistent visibility over dynamic footprints. This feature is now in a limited beta test. If you’d like to try it out, get in touch with your Technical Account Manager or contact us via support@upguard.com. 

Other improvements

• It’s now easier to find and use Shared Profile documents your vendor has uploaded. These can be found in the Questionnaires, Additional Evidence and Risk Assessments views. 
• We’ve added a warning if vendors try to submit questionnaire updates without making changes, to cut back on unnecessary steps.
• We’ve made some changes to the risk profile pages, adding a status column to improve visibility of risk waivers as well as remediation requests. We’ve also made it easier for you to edit your risk waivers if the scope changes.
• This release includes a number of bug fixes. 

This release includes two updates to questionnaires that we think you’re going to want to know about. Firstly, we’ve introduced a new version of our ISO 27001 questionnaire. This new version is in line with the ISO/IEC 27001:2022 standard which was published in late 2022. Secondly, we’ve added the ability for vendors to export the questionnaires from UpGuard, complete them, and import them back into the platform. Read on to learn more.

ISO 27001:2022 Questionnaire update

Now available in the Vendor Risk Questionnaire Library, this update brings our ISO 27001 questionnaire up to date with the latest standard. You will be able to continue to access both the previous version as well as the new one via the Questionnaire Library.

Questionnaire answer import tool – now in beta

Vendors can make use of this new feature to export questionnaires as .XSLX workbooks, add their responses offline, and then import them back to UpGuard to complete the process. This gives vendors the flexibility to complete questionnaires faster and more easily, in the tools of their choosing. This feature is now in beta, with feedback welcome. Learn more about it here. 

Other improvements

• We’ve made some layout and sorting improvements to the competitors table for subsidiary-type accounts. 
• This release includes a number of bug fixes.

Learn about new features, changes, and improvements to UpGuard this month.

‍