UpGuard Release Notes

We’re continuing to enhance our News and Incidents feed to provide broader, more comprehensive insights into breaches and cyber incidents. The feed now pulls from five times as many sources, offering greater visibility into critical, officially disclosed events. This expanded coverage empowers you to stay informed and respond more quickly to emerging risks. Access the enhanced feed directly from your dashboard under News & Incidents, and leverage this improved data to protect your business with greater precision and confidence.

Get notified when an NDA is agreed to

Trust Exchange users can now get notified when an NDA is agreed to on their Trust Page, so you’ll know when a new organization has access. This notification can be configured in the Manage Notifications page. 

Other improvements

• We've standardized the design of primary actions across the platform, which now all use our dark blue button for a more cohesive and consistent user experience.
• This release includes a number of bug fixes.

We’ve launched a new questionnaire designed to evaluate an organization's compliance with the NIST AI RMF. This security questionnaire offers a structured framework for effectively assessing the risks associated with AI systems. It covers the core functions of the NIST AI RMF—governing, mapping, measuring, and managing AI systems—ensuring that vendors uphold best practices in AI governance and operational management.

Expanded news and incident coverage

We’ve greatly enhanced our news and incident scanning capabilities, now delivering five times broader coverage to provide faster, high-impact insights. This empowers your security teams and SOC analysts to detect incidents affecting your organization or supply chain sooner, enabling proactive responses to mitigate risks early. With an expanded range of advanced data collectors, including official reports and government databases, we now offer a more comprehensive view of emerging threats to fortify your security posture.

Other improvements

• This release includes small improvements to Trust Exchange, including a new home page for free users, and improvements to notifications. 
• We’ve added product and version detection for the Roundcube email client to detect the following vulnerabilities:some text
  • CVE-2024-42008 - A cross-site scripting flaw via a malicious email attachment served with a dangerous Content-Type header
  • CVE-2024-42009 - A cross-site scripting flaw that arises from post-processing of sanitized HTML content
  • CVE-2024-42010 - An information disclosure flaw that stems from insufficient CSS filtering
• This release includes a number of bug fixes.

We’ve improved the Vendor list view and export to give you deeper insights into your vendor portfolio.

• You can now see exactly when a vendor was added to your portfolio with a new optional column called ‘Date added’. This column can be sorted and filtered, and is included in the Excel export.
• We’ve added an option to include Risk count by severity in the Excel export.

Other improvements

• When uploading or editing documents, we’ve changed the ‘document type’ selection sort order to alphabetical, making it easier to find and select the right document type.
• Several iterative updates for AI Autofill have been released, including an improvement to autofill sources and information messages. 
• Trust Exchange’s questionnaire form has seen some improvements, including an aspect ratio bug fix, an improvement to the naming of questionnaires added to Trust Pages, and more.
• This release includes a number of bug fixes.

You can now invite colleagues from outside your security team to collaborate on questionnaires, providing business owners with visibility for vendor follow-ups and enabling input from contributors across departments. These users can view questionnaires, receive status updates, participate in reviews, and communicate internally through messages.

To learn more, see How to send security questionnaires in UpGuard Vendor Risk.

APRA CPS 230 questionnaire 

We’ve added a new security questionnaire to assess an organization’s adherence to the Australian Prudential Regulation Authority's (APRA) Prudential Standard CPS 230 Operational Risk Management. CPS 230 ensures that APRA-regulated entities effectively manage operational risks to maintain the resilience of critical operations. This questionnaire covers all APRA-regulated entities' requirements, including key principles, risk management framework, roles and responsibilities, operational risk management, business continuity, and service provider arrangements.

Product detection and scanning improvements

We’ve introduced new product detections in BreachSight and vulnerability detection across our platform:

• CUPS product & version detection
• CUPS CVE-2024-47176 vulnerability detection
• GeoServer product & version detection
• Apache OFBiz product detection

Other improvements

• The SIG Lite questionnaire has been updated to make document upload requests conditional
• This release includes a number of bug fixes

We're making it easier to understand and explain web risks by introducing Risk Remediation Guidance to BreachSight and Vendor Risk. This update offers detailed explanations of each risk, its importance, and how to remediate it, enabling swift action even for non-technical users. With Risk Remediation Guidance, BreachSight users can act more decisively, resolving risks efficiently with clear instructions, while vendors gain deeper insights to better understand and mitigate risks.

Digital Operational Resilience Act (DORA) questionnaire

We’ve introduced a new questionnaire to assess an organization’s adherence to the Digital Operational Resilience Act in the EU. In effect from January 17 2025, DORA addresses gaps in EU financial regulation by requiring financial institutions to manage ICT-related risks and operational resilience alongside traditional capital allocation for risk management.

Introducing Vendor Snapshots

Vendor Snapshots (previously Instant Reports) allow you to view the external risks of an organization for 30 days without adding it to your monitored vendor list. It’s perfect for when you need a point-in-time view of a vendor's security posture, such as when assessing or comparing potential vendors as part of a due diligence process.

Improvements that have been implemented as part of this release:

• Renamed feature to Vendor Snapshot to better reflect the functionality
• Made it easier to convert a Vendor Snapshot to a monitored vendor including retaining a view of expired snapshots
• Ability to include Vendor Snapshots in the vendor comparison tool and report
• Inclusion of Vendor Snapshots in vendors page exports (Excel and PDF)
• Changes to Vendor Snapshot entitlements: Enterprise plans will have unlimited Vendor Snapshots, Professional and Corporate plans will have a set number included, and all Vendor Risk plans will be eligible to purchase additional snapshots
  

To learn more see What is the difference between a Vendor Snapshot and a Monitored vendor?

‍Configuration Leak Detection

Our web scanner now detects client-side and server-side configuration leaks, enhancing protection against exposed API keys and configuration files. This update strengthens BreachSight and Vendor Risk by improving proactive risk detection for customers and their vendors.

Other improvements

• Each page now has its own title tag, which makes it easier to differentiate between multiple tabs in your browser
• This release includes a number of bug fixes

Responding to security questionnaires is now easier than ever. You can import PDF documents (such as SOC 2 reports or security policies) in order to automatically populate security questionnaires with accurate suggestions, harnessing UpGuard’s AI to do the heavy lifting. This is available both for security questionnaires sent to you by other UpGuard users, and any external questionnaires you’ve imported into Trust Exchange. Learn more about AI Autofill. 

NIST CSF 2.0 questionnaire

We’ve added a NIST CSF 2.0 questionnaire for you to assess an organization's compliance with the standards in the NIST Cybersecurity Framework (CSF) 2.0. This questionnaire comprehensively maps to NIST's six functions, which cover governance, identification, protection, detection, response, and recovery, ensuring that organizations meet the necessary security controls and practices.

Other improvements

• Expanded product detection in BreachSight for Cisco ASA
• This release includes a number of bug fixes

It's now possible to send and track questionnaires from your existing systems and workflows using the UpGuard API. Leverage the new send questionnaire endpoint to automate the initiation of your vendor assessment process and reduce the need for manual intervention. To learn more, see How to send a security questionnaire via the UpGuard API and refer to our API documentation.

Expanded automatic product detection

We’ve expanded BreachSight’s product detection capabilities to include over 130 additional commonly used products in addition to the tens of thousands we already detect. Among the new products we detect are OpenSSH, Postfix, Kerberos, and many more. Read more about our Detected Products capability.

New vulnerability detection

We’ve added detection for two ServiceNow vulnerabilities, CVE-2024-4879 (CVSS 9.8) and CVE-2024-5217 (CVSS 8.7), both of which are being actively exploited in the wild. With this update, our platform can now effectively detect these high-severity threats.

Other improvements

• This release includes a number of bug fixes

To deliver more accurate and actionable insights into your external risks, we’ve updated how we categorize risks detected on the external attack surface. Existing risk detections have been re-organized and expanded from five categories into ten. The new security domains are Encryption, DNS, Vulnerability Management, Attack Surface, and Data Leakage, which join the existing categories of Website, Email, Network, IP Reputation, and Brand and Reputation. We’ve also updated our scoring algorithm to better measure the level of risk associated with detected findings, and to reflect the risks that make up each category. 

Auto-generated commentary for the Board Summary PowerPoint report

We’ve added auto-generated commentary for each visualization in the Board Summary PowerPoint report, so you can generate a powerful presentation with key insights instantly. The commentary is fully editable so you can adjust it to suit your audience and add your own insights. To learn more see How to generate a Board Summary report.

Notification for undelivered questionnaire requests

To help improve tracking and management of your questionnaire requests, we’ve added detection and notification for when a questionnaire request fails to reach the recipient. The notification questionnaire email has failed to send will be switched on by default for all users. The failure event will also appear in your questionnaire timeline. 

Increased News & Incidents coverage for the US

We've enhanced our US coverage, capturing a broader and more accurate range of incidents to keep you better informed.

Other improvements

• We’ve added the risk assessment report to the reports API. To learn more about requesting a report via the API see How to request a report via the UpGuard API.
• We’ve increased the character limit of custom vendor attributes to 1,000. To learn more about defining and assigning custom vendor attributes see How to use custom vendor attributes.
• Subscribers of the BreachSight digest will now see the Competitor Analysis included in the monthly email.
• We’ve improved detection of Magento instances.
• This release includes a number of bug fixes.

SIG Core and SIG Lite 2024

We’ve introduced the Standard Information Gathering (SIG) Core questionnaire to our questionnaire library, and updated the SIG Lite questionnaire to the 2024 version. The SIG questionnaires provide a comprehensive framework for evaluating third-party cybersecurity across multiple domains, including data protection, regulatory compliance, and operational resilience. 

Digital Personal Data Protection Act (DPDP), 2023 questionnaire 

This release also introduces a questionnaire to evaluate an organization's compliance with India’s Digital Personal Data Protection Act, 2023. The DPDP Act is a legislative framework designed to protect the privacy of individuals' personal data by regulating its collection, processing, and storage by organizations in India.

Learn more about the security questionnaires available in UpGuard’s Library.

Export blank questionnaires 

We’ve added an Excel export for blank questionnaires. This is available from the questionnaire summary page, the questionnaire library, and the custom questionnaire builder to help with the review process when building new questionnaires.

Other improvements

• This release includes a number of bug fixes.

We’ve developed a Multi-Framework Security Questionnaire that comprehensively maps to both ISO 27001:2022 and NIST CSF 2.0, and it is now available to all customers in the questionnaire library. This dual-standard approach offers a holistic view of a third party’s security posture, ensures robust incident response and recovery plans, and demonstrates a commitment to high security standards. We're excited to roll out even more questionnaires covering global and local regulations in coming releases.

Detection of regreSSHion (CVE-2024-6387)

CVE-2024-6387 is a high-severity vulnerability in OpenSSH servers that, if exploited, facilitates Remote Code Execution with full root privileges (CVSS 8.1). This will raise a verified vulnerability and the high severity risk “Vulnerable to CVE-2024-6387 (OpenSSH regreSSHion Remote Code Execution)“.

Detection for polyfill.io inclusions 

Recently the polyfill.io domain has taken new ownership. This has presented a new supply chain risk because they host the CDN for the polyfill JavaScript package. This will raise a new informational risk called "Polyfill.io or Polyfill.com Discovered"

Summary page added for Subsidiaries

For BreachSight plans that include subsidiaries, we’ve added a Subsidiary Summary page to allow you to view the security posture of your subsidiaries in more detail, including category breakdowns and geolocation details. To learn more see What is the subsidiary summary page.

Other improvements

• This release includes a number of bug fixes

Being informed of critical vendor incidents and news is crucial. To help you prioritize your notifications, we’ve added the ability to create a new custom notification for incidents and news, with options to apply conditional logic including tiers, labels, portfolios and other attributes. This allows you to tailor your notifications to highlight the ones that matter most to you.

Learn more about custom notifications.

Other improvements

• The Board Summary Report is now more customizable, with an option to show or hide competitor analysis from the overall security rating summary.
• This release includes a number of usability improvements and bug fixes.

Configure vulnerability notifications by CVSS severity

Effective vulnerability management hinges on prioritization. Responding swiftly to critical vulnerabilities is as crucial as efficiently scheduling patches for lower-severity issues. The thresholds for these actions depend on each organization's risk tolerance.

Our new custom notification feature for vulnerabilities helps you achieve these goals. Now, you can set notifications for newly detected vulnerabilities that meet or exceed a specified CVSS threshold. You can further customize these notifications with conditional logic based on label, vendor portfolio, or vendor tier.

Learn more about creating notifications for risks or vulnerabilities by severity.

Add manual risks to questionnaires

To help you capture additional risks identified through the questionnaire review process we’ve added the ability to add manual risks to a questionnaire.

Learn how and when to use manual risks in a questionnaire.

Allow users outside of UpGuard to request relationship questionnaires

Relationship questionnaires allow you to collect information about your organization's engagement with a vendor to help inform the appropriate level of assessment. With this enhancement, you can initiate a request for a relationship questionnaire via an API call. This allows non-users, such as business owners, to request relationship questionnaires from outside of the platform, streamlining procurement and vendor assessment processes.

Learn more about using the vendor relationship questionnaire and refer to our API documentation.

Other improvements

• This release also includes several minor improvements and bug fixes