UpGuard Release Notes

We have released a new questionnaire that is mapped to NIST CSF. To use this questionnaire, you'll first need to enable it from the "Questionnaire Library" section of Vendor Risk. When one of your vendors completes a questionnaire, any risks identified will be mapped to the corresponding CSF control categories.

• Share your security profile: Make it easier for other companies to assess your cybersecurity posture by proactively publishing security-related information including questionnaire responses and other security documents. Control who has access to these documents, and see who has viewed them. Invite companies to view your Shared Profile when they are assessing you, and spend less time completing security questionnaires. Contact UpGuard Support to enable your Shared Profile.
• Export questionnaires: Download completed questionnaires as pdfs.
• Questionnaire workflow improvements: When you receive a completed questionnaire, mark it as “in review” to keep track of who in your team is reviewing which questionnaire response.
• API enhancements: Data leaks are now available through the API. See the API documentation for more details.
• Various bug fixes

• Executive Summary Report: We’ve created a new report to provide a summary of your own cybersecurity posture, and that of your vendors. We’ll be activating it for existing customers over the next week or so.  As part of this change you’ll notice the “Dashboard” page has been replaced with two new pages - the "Executive Summary", and a dedicated “Notifications” page.
• Enhanced file upload feature for questionnaires: When providing evidence as part of responding to a security questionnaire, you can now point to a file that you've already uploaded. This allows the same file to be referenced as evidence for multiple questions without having to upload multiple copies of it.
• Various bug fixes, including some display issues related to the Microsoft Edge browser.

• You can now receive notifications when your company's score drops below a certain threshold, or by a certain number of points.  To opt in and out of these notifications, use the "manage notifications" link on the dashboard page. To customise the set notifications available to users in your account, go to Account Settings -> Notifications (admin users only).
• The Insecure SSL/TLS Versions check now fails for TLSv1.1, in addition to SSLv2, SSLv3, and TLSv1.0. See RFC 7525 for more detail on why TLSv1.1 should be disabled.
• We fixed a bug where for some websites we would incorrectly report old versions of TLS as being available.
• We improved the way we display vendors who's primary domain does not have a website running on it.

• WordPress scanning: Whenever we detect that a site uses WordPress, we now run a series of additional security checks. These checks identify configuration problems that leave WordPress sites vulnerable to attack.
• Supply Chain Concentration Risk (beta):  We have launched a beta of a new feature which highlights where companies in your supply chain (e.g. your vendors) rely on common underlying technology (e.g. hosting providers, email providers).  Contact UpGuard Support if you would like early access to this feature.
• The character limit for messages you include when sending questionnaires has been increased from 300 to 1000
• Various bug fixes

• We’ve improved the way we display your list of vendors and instant reports.
• You can now search for vendors by URL as well as name
• We’ve improved the way questionnaires are displayed, including making it easier to view the risks, and improving the question numbering
• We've changed the algorithm for scoring questionnaires to improve the way unanswered questions are weighted.
• We’ve improved the way “Assurance” customers view their customer portfolio

• You can now add custom labels to your websites in BreachSight, just like the labels you can already add to your vendors in VendorRisk. You can then use labels to filter websites on all pages where your websites are shown.
• UpGuard has now been added as one of your monitored vendors in VendorRisk, if you were not monitoring the UpGuard vendor already. This will not count towards the available monitored vendor slots in your account. If you are not using VendorRisk already, you will now be able to access it, with UpGuard as your only monitored vendor.
• We've improved our risk model for redirect domains. These are domains that redirect users to a different domain, and do not themselves host a website. Before this change, if example.co.uk redirected to example.com, some of the risks that we scan for were only being identified on example.com, and example.co.uk was not being checked for all possible risks. With this change, all risks applicable to example.co.uk will now be correctly identified. The most significant new risks that you may start seeing on redirect domains are related to HTTPS support and SSL certificate issues. You may notice some fluctuations in website scores as this change is rolled out, but the end result will be a more accurate reflection of the risks associated with these domains.
• It's now easier to manage your Cyber Risk API keys from your account Settings page. You can have multiple active API keys, and specific keys can be deleted. This allows API keys to be rotated more easily, when required.
• Various bug fixes.
• You will now be notified on your Cyber Risk dashboard when we release new features in future. Keep an eye out for the notification.

• You can now add "private" notes to questionnaires and remediation requests. These are visible to users of your account, but not to the recipients of the questionnaire or remediation request.
• We've improved how we present your own score. When we display your own company's score to you, we can draw on public information (such as the configuration of your websites) as well as private information (such as which vendors you have marked as "in use"). This lets us provide the most complete view of your security posture. When someone else (another CyberRisk customer) looks up your company however, we report your score based only on the publicly available information. This has caused some confusion, and to address this, we've changed the way you see your own score on your "Risk Profile" page. You can now choose to either see your "public" score, or also factor in the private data you have provided.
• When you manually request a scan for a given website, we are now rescanning for open ports on that website more quickly. At times it may still take a while for refreshed port scan data to flow through, but it should often appear within 10 minutes or so. Note that when ports change from "open" to "filtered" (as opposed to "closed"), it will still take up to 30 days for changes to flow through.
• When you manually request a scan for a given website, and the scan fails (for instance, if the website is no longer running) we now report the failure, as well as how many times it's failed previously, and when the website will be removed (after 4 consecutive failures).
• You can now request remediation or create a risk waiver from the Risk Profile page, or while looking at the details of a specific website.
• We fixed a problem with vulnerabilities where some websites that use shared IP addresses would have vulnerabilities incorrectly assigned to them.
• We've made a number of UI improvements and bug fixes

• We now allow vendors to be filtered by a score range, and use this to provide a clickthrough from the vendor breakdown on the dashboard.
• We have extended vendor filtering to cover the contents of the dashboard (including the vendor breakdown) and the remediation list.
• We have created a questionnaire library, allowing account admins to easily configure which questionnaire types are able to be selected and sent by their users.It also allows non-admin users to browse and preview those questionnaire types that have been selected for the account.
• Various bug fixes

• The Data Leaks workflow has been simplified. Now there are only 3 states for a Data Leak - Disclosed, Acknowledged, and Closed. The Closed status still includes the reason for closure (Fixed, Not a Risk, or Risk Accepted), and can be verified by an UpGuard analyst as an additional final step.
• The Documents list on the Questionnaire Details page now includes all documents relevant to the questionnaire, and whether they have been included or not. This allows users to easily see which documents have been uploaded and which have been omitted.
• Users can now include a message when requesting remediation, which will be visible to the recipient.
• Users must now include a "justification" when creating a risk waiver which will be visible to the approver, if one exists. If there is a separate approver, their justification will be shown separately.
• Score history (up to a year if the data is available) is now enabled by default for all accounts.
• There is a new action in the Actions dropdown to "Send a message" available on the Questionnaire Details screen. This prompts the user to enter a message in the Correspondence section.
• Admin users can now remove themselves from an account, as long as there is at least one other admin user on the account.
• Various bug fixes and cross-browser improvements.

We have added several major new features to the CyberRisk platform:

• Risk Waivers: Use risk waivers to accept risks and hide them from your risk profile. This is especially useful when you have compensating controls in place which you believe mitigate the risk. Currently risk waivers can be applied to risks identified with your own Internet-facing assets (your own “Web Risks” identified in BreachSight).
• Enhanced Vulnerabilities Detection: We have improved the way we detect vulnerabilities, both with your own web assets (in BreachSight), and those of your vendors (in VendorRisk). We also explicitly check for the recently discovered BlueKeep vulnerability.
• Typosquatting Detection: We have launched a new module to help you manage your typosquatting-related cyber risk. You can choose which domains you want to monitor, and then review and monitor the registered and unregistered permutations of these domains for suspicious activity. Contact UpGuard Support to arrange access.

We have made a few other changes too:

• When viewing a list of websites (“Web Risks”), you can now view as a tree to make it easier to navigate subdomains
• Various bug fixes

We have just released a new version of CyberRisk, which brings several minor enhancements and a number of bug fixes:

• Attachments now supported in-line within questionnaires, rather than all being at the end of a questionnaire. This makes it easier to correlate specific questions with evidence (documents).
• When you start monitoring a vendor, you can now apply custom labels (as well as the built-in labels).
• In VendorRisk, you can now see the date that your allocation of Instant Reports rolls over.
• Various bug fixes