UpGuard Release Notes

Responding to security questionnaires is now easier than ever. You can import PDF documents (such as SOC 2 reports or security policies) in order to automatically populate security questionnaires with accurate suggestions, harnessing UpGuard’s AI to do the heavy lifting. This is available both for security questionnaires sent to you by other UpGuard users, and any external questionnaires you’ve imported into Trust Exchange. Learn more about AI Autofill. 

NIST CSF 2.0 questionnaire

We’ve added a NIST CSF 2.0 questionnaire for you to assess an organization's compliance with the standards in the NIST Cybersecurity Framework (CSF) 2.0. This questionnaire comprehensively maps to NIST's six functions, which cover governance, identification, protection, detection, response, and recovery, ensuring that organizations meet the necessary security controls and practices.

Other improvements

• Expanded product detection in BreachSight for Cisco ASA
• This release includes a number of bug fixes

It's now possible to send and track questionnaires from your existing systems and workflows using the UpGuard API. Leverage the new send questionnaire endpoint to automate the initiation of your vendor assessment process and reduce the need for manual intervention. To learn more, see How to send a security questionnaire via the UpGuard API and refer to our API documentation.

Expanded automatic product detection

We’ve expanded BreachSight’s product detection capabilities to include over 130 additional commonly used products in addition to the tens of thousands we already detect. Among the new products we detect are OpenSSH, Postfix, Kerberos, and many more. Read more about our Detected Products capability.

New vulnerability detection

We’ve added detection for two ServiceNow vulnerabilities, CVE-2024-4879 (CVSS 9.8) and CVE-2024-5217 (CVSS 8.7), both of which are being actively exploited in the wild. With this update, our platform can now effectively detect these high-severity threats.

Other improvements

• This release includes a number of bug fixes

To deliver more accurate and actionable insights into your external risks, we’ve updated how we categorize risks detected on the external attack surface. Existing risk detections have been re-organized and expanded from five categories into ten. The new security domains are Encryption, DNS, Vulnerability Management, Attack Surface, and Data Leakage, which join the existing categories of Website, Email, Network, IP Reputation, and Brand and Reputation. We’ve also updated our scoring algorithm to better measure the level of risk associated with detected findings, and to reflect the risks that make up each category. 

Auto-generated commentary for the Board Summary PowerPoint report

We’ve added auto-generated commentary for each visualization in the Board Summary PowerPoint report, so you can generate a powerful presentation with key insights instantly. The commentary is fully editable so you can adjust it to suit your audience and add your own insights. To learn more see How to generate a Board Summary report.

Notification for undelivered questionnaire requests

To help improve tracking and management of your questionnaire requests, we’ve added detection and notification for when a questionnaire request fails to reach the recipient. The notification questionnaire email has failed to send will be switched on by default for all users. The failure event will also appear in your questionnaire timeline. 

Increased News & Incidents coverage for the US

We've enhanced our US coverage, capturing a broader and more accurate range of incidents to keep you better informed.

Other improvements

• We’ve added the risk assessment report to the reports API. To learn more about requesting a report via the API see How to request a report via the UpGuard API.
• We’ve increased the character limit of custom vendor attributes to 1,000. To learn more about defining and assigning custom vendor attributes see How to use custom vendor attributes.
• Subscribers of the BreachSight digest will now see the Competitor Analysis included in the monthly email.
• We’ve improved detection of Magento instances.
• This release includes a number of bug fixes.

SIG Core and SIG Lite 2024

We’ve introduced the Standard Information Gathering (SIG) Core questionnaire to our questionnaire library, and updated the SIG Lite questionnaire to the 2024 version. The SIG questionnaires provide a comprehensive framework for evaluating third-party cybersecurity across multiple domains, including data protection, regulatory compliance, and operational resilience. 

Digital Personal Data Protection Act (DPDP), 2023 questionnaire 

This release also introduces a questionnaire to evaluate an organization's compliance with India’s Digital Personal Data Protection Act, 2023. The DPDP Act is a legislative framework designed to protect the privacy of individuals' personal data by regulating its collection, processing, and storage by organizations in India.

Learn more about the security questionnaires available in UpGuard’s Library.

Export blank questionnaires 

We’ve added an Excel export for blank questionnaires. This is available from the questionnaire summary page, the questionnaire library, and the custom questionnaire builder to help with the review process when building new questionnaires.

Other improvements

• This release includes a number of bug fixes.

We’ve developed a Multi-Framework Security Questionnaire that comprehensively maps to both ISO 27001:2022 and NIST CSF 2.0, and it is now available to all customers in the questionnaire library. This dual-standard approach offers a holistic view of a third party’s security posture, ensures robust incident response and recovery plans, and demonstrates a commitment to high security standards. We're excited to roll out even more questionnaires covering global and local regulations in coming releases.

Detection of regreSSHion (CVE-2024-6387)

CVE-2024-6387 is a high-severity vulnerability in OpenSSH servers that, if exploited, facilitates Remote Code Execution with full root privileges (CVSS 8.1). This will raise a verified vulnerability and the high severity risk “Vulnerable to CVE-2024-6387 (OpenSSH regreSSHion Remote Code Execution)“.

Detection for polyfill.io inclusions 

Recently the polyfill.io domain has taken new ownership. This has presented a new supply chain risk because they host the CDN for the polyfill JavaScript package. This will raise a new informational risk called "Polyfill.io or Polyfill.com Discovered"

Summary page added for Subsidiaries

For BreachSight plans that include subsidiaries, we’ve added a Subsidiary Summary page to allow you to view the security posture of your subsidiaries in more detail, including category breakdowns and geolocation details. To learn more see What is the subsidiary summary page.

Other improvements

• This release includes a number of bug fixes

Being informed of critical vendor incidents and news is crucial. To help you prioritize your notifications, we’ve added the ability to create a new custom notification for incidents and news, with options to apply conditional logic including tiers, labels, portfolios and other attributes. This allows you to tailor your notifications to highlight the ones that matter most to you.

Learn more about custom notifications.

Other improvements

• The Board Summary Report is now more customizable, with an option to show or hide competitor analysis from the overall security rating summary.
• This release includes a number of usability improvements and bug fixes.

Configure vulnerability notifications by CVSS severity

Effective vulnerability management hinges on prioritization. Responding swiftly to critical vulnerabilities is as crucial as efficiently scheduling patches for lower-severity issues. The thresholds for these actions depend on each organization's risk tolerance.

Our new custom notification feature for vulnerabilities helps you achieve these goals. Now, you can set notifications for newly detected vulnerabilities that meet or exceed a specified CVSS threshold. You can further customize these notifications with conditional logic based on label, vendor portfolio, or vendor tier.

Learn more about creating notifications for risks or vulnerabilities by severity.

Add manual risks to questionnaires

To help you capture additional risks identified through the questionnaire review process we’ve added the ability to add manual risks to a questionnaire.

Learn how and when to use manual risks in a questionnaire.

Allow users outside of UpGuard to request relationship questionnaires

Relationship questionnaires allow you to collect information about your organization's engagement with a vendor to help inform the appropriate level of assessment. With this enhancement, you can initiate a request for a relationship questionnaire via an API call. This allows non-users, such as business owners, to request relationship questionnaires from outside of the platform, streamlining procurement and vendor assessment processes.

Learn more about using the vendor relationship questionnaire and refer to our API documentation.

Other improvements

• This release also includes several minor improvements and bug fixes

Identity breaches now include a new attribute that indicates the source of the data, specifying whether it originated from a company's breach, a paste document, or an Infostealer malware infection. Additionally, breaches can be filtered by type, providing a focused view of how your users have been exposed through third-party breaches or malware.

Note: the Infostealer data feed is included for customers on the Professional plan, and can be added on for Starter and Basic plans.

Other improvements

• The Shared Profile has been renamed to Trust Page in the navigation and other areas. A Trust Page allows you to instantly share your security documentation with your customers.
• We’ve incorporated a new detection for CVE-2024-24919, a high-severity information disclosure vulnerability affecting Check Point Security Gateway devices, now recognized as a CISA Known Exploited Vulnerability.
• This release includes a number of bug fixes.

A new setting now allows you to control who in your business is a nominated approver of risk waivers in both BreachSight and Vendor Risk, and risk adjustments in Vendor Risk. You can:

• Mandate approval for risk waivers and risk adjustments
• Nominate specific users who can approve risk waivers and adjustments

You can configure these approval settings for BreachSight and Vendor Risk in the Settings page.

Other improvements

• Webhooks have been enhanced with the addition of a Questionnaire ID field.
• The Vendor Risk executive summary page now includes tiering information in the highest and lowest scored vendors tables.
• Vendor tier and vendor score are now available in the Vendor Risk portfolio risk profile and risk export.
• We’ve made the Vendors page Excel export more customizable by adding the option to only include fields that you have selected to display.
• We’ve added more detail to manually reduced risks in risk assessments and vendor reports including justification.
• This release includes a number of bug fixes.

Scale up your third-party risk management program and clear your backlog with our refreshed workflow for Managed Vendor Assessments. Engage our analyst team for expert assessment of your critical suppliers. Key features include:

• Faster turnaround: we analyze audit reports and security documentation to reduce dependency on vendors responding to lengthy questionnaires.
• Aligned to industry standards: our assessment encompasses controls for key security frameworks including ISO 27001:2022 and NIST Cybersecurity Framework (CSF) 2.0.
• Easy to understand report: clearly communicate risk to your stakeholders with the redesigned report featuring all risks, findings and recommendations mapped to key security domains and control groups.

Read more about Managed Vendor Assessments, or contact your UpGuard account representative to see a sample assessment.

Newly registered domains monitoring for Typosquatting

We’ve improved how we detect typosquatting by monitoring newly registered domains for more possible permutations of your domain name. This improvement will identify more potentially malicious domains, faster.

Improved filtering and risk visibility in questionnaire viewer

We’ve made some changes to the questionnaire viewer to help you and your vendors focus on areas that need attention:

• We’ve added a filter to the questionnaire detail view so you can easily navigate to raised risks, unanswered questions and autofilled responses.
• We’ve added a risk table to the questionnaire summary to help recipients identify and address risks.

Other improvements

• This release includes a number of bug fixes.

‍

The new version of our ServiceNow Vendor Risk integration is now available. You can add UpGuard as a Third Party Risk Score provider, and sync your monitored vendors within UpGuard with the vendors listed in ServiceNow.

The integration also allows you to view UpGuard vendor information in ServiceNow, including tiers, labels, domain counts, score and risk count by severity, as well as industry average score and score trend information. To learn more see How to set up ServiceNow Vendor Risk integration with UpGuard or access the integration from the ServiceNow Store.

Predictive scoring for vulnerability exploitation

To help improve the prioritization of vulnerabilities, we’ve integrated the Exploit Prediction Scoring System (EPSS) into UpGuard’s Vulnerabilities module. EPSS uses a machine learning model trained to determine the likelihood that a CVE will be exploited in the next 30 days. Comparisons with CVSS show that EPSS is about 10x more efficient at identifying which vulnerabilities will and will not be exploited, making the most of your security and IT teams’ finite resources. Learn more about EPSS and how to use it in UpGuard.

Other improvements

• Trust Exchange users can now save requested documents into their content library for re-use.
• Collaborating on imported questionnaires is now easier as you can add collaborators via the questionnaire details view.
• Imported questionnaires can now be published to the shared profile.
• This release also includes a number of bug fixes.

Your imported questionnaires can now be used as a source for AI Autofill, so each questionnaire you answer in UpGuard Trust Exchange makes your subsequent questionnaires more accurate, faster, and easier. We’ve also added the ability to archive and delete imported questionnaires, as well as see suggested documents from your content library in the questionnaire viewer. Try these features out for yourself by importing a questionnaire.

Improvement to Vendor Risk Executive Summary 

We’ve enhanced the monthly distribution of vendor risk ratings on the Executive Summary page, updating the graph to show 13 months of data (allowing for a full 12 month comparison period) and changed to a stacked bar graph to improve readability. These changes also extend to the Vendor Risk Executive Summary export, and the Board report. To learn more see What is in the UpGuard Vendor Risk Executive Summary Report?

Other improvements

• Added vulnerability detection for Openfire administration consoles.
• Added detections for potential subdomain takeovers for Heroku, Netlify, Vercel, and Github pages.
• This release also includes a number of bug fixes.