UpGuard Release Notes

We’ve updated input fields and buttons styles throughout the platform to ensure consistency. Whether you’re searching for findings on your risk profile, looking for a specific vendor, or filtering vulnerabilities, input fields and buttons should now look, feel, and behave in the same way. This makes it easier for new users to get up to speed quickly and for existing users to learn how to use new features as we release them.

In addition to these changes, we’ve made accessibility improvements to our icons by increasing their clickable area and adding hover states. These improvements mean the platform is easier to use for users with smaller screens or poor eyesight.

Other fixes and improvements:

• Fixed issue where the character limit was longer when creating a remediation request than when editing it
• Fixed issue causing runtime error on large exports
• Domains parked with register.com will now appear as inactive
• Added exception from the non-httpOnly cookie risk for Imperva and Barracuda WAF cookies
• Fixed issue causing remediation request email to not display company name when there are multiple users on the request
• Fixed issue causing remediation request timeline to not display the original requester’s name when multiple users are added to the request

We’re adding support for subsidiaries as a beta feature. This makes it easy to identify common misconfigurations and security issues shared across your organization and its subsidiaries. You can see a tree structure of your organization, click into individual subsidiaries, and dive deep into their risk profile, domains & IPs, vulnerabilities, and even their own subsidiaries. You can also request remediation of identified risks from your subsidiaries.

Examples of things you can do:

• Find security issues shared across your organization and its subsidiaries
• Identify subsidiaries with poor security postures
• Understand your complete security profile from the parent company down to the individual subsidiary.

We hope you’ll find a lot of use for subsidiaries and we think this will make UpGuard work better for many different types of organizations.

If you would like to beta test the subsidiaries feature, please contact us via support@upguard.com or by using the live chat in-app which can be found in the bottom right corner of your screen. Once enabled, subsidiaries will show up under Subsidiaries under the BreachSight section of the sidebar. Click on it to view your subsidiaries and explore the additional functionality that has been released.

How to use subsidiaries to monitor your organization’s attack surface

Dynamic filtering on portfolio risk profile

When you select other filters that impact the list of findings available on your Portfolio Risk Profile, the findings filter now dynamically adjusts to only show the corresponding identified risks. For example, if you choose the risk category Website Risks, the findings will only show those that correspond to that category.

How to filter the portfolio risk profile

Other fixes and improvements

• Fixed issue causing Excel questionnaire exports to not match the UI
• Fixed issue where PDF exports would cut off questionnaire answers if they were too long

You can now leave generic notes about your vendors inside the UpGuard platform without having to upload a file. This means you can drop in any information you need without having to create and upload a separate document.

This could be information about what project the vendor relates to, why the vendor has been engaged, and any other important information like contract dates or SLAs that don’t justify creating and uploading an entire document.

We hope this feature means you can start storing more of your vendor-related information in UpGuard and we can start acting as your central vendor management repository.

Learn how to create notes

Better vendor filtering: NOT operator and unlabelled support

You can now filter your vendors to show any that do not match a particular label (or labels). For example, you can now see all vendors who are NOT labeled with “Customer Data”.

We’ve also added a special label called “unlabelled” which can be used to find all vendors who do not have a label applied or who do have labels if you use the NOT operator.

Learn how to filter your vendors

Other fixes and improvements

• Improved the design of the top of vendor summary pages
• Fixed a UI issue that caused long vendor names to push the close button off-screen in the vendors section in the sidebar
• Improved support for domains parked with GoDaddy, these domains will now appear as inactive
• Fixed bug causing data leaks reporting to display duplicate keywords under some circumstances
• Made changes to remediation requests so that risks will update when domains become active or inactive
• Improved error message for situations where new users try to claim an expired invitation
• Questionnaires and other vendors assets are now stored when you stop monitoring a vendor and will be there if you start monitoring the vendor again
• Fixed UI issue causing risk assessment notifications to be hard to dismiss
• Individual vulnerability notifications can now be dismissed

We have made significant improvements to our scoring algorithm. From time to time, we adjust our scoring algorithm based on new information gleaned from industry trends, research, and customer feedback. It is important to note that our new scoring algorithm may have reduced the security rating of you and your vendors.

Here’s what improvements were made and why:

• Lower scores are weighted more heavily: Ensures poor security on an individual domain or IP address is not “averaged out” by otherwise good security across an organization’s infrastructure. An organization is only as secure as its weakest link.
• Greater emphasis on network security issues: Open ports, while not dangerous on their own, often expose vulnerable services. A great example of this risk is WannaCry, a ransomware cryptoworm that infected more than 300,000 computers by exploiting a zero-day in old versions of a network protocol called SMB. WannaCry was so successful because the SMB port is open by default on many legacy Windows machines.

As part of these improvements, we have combined our brand and reputation risk categories. Brand and reputation are two sides of the same coin and we believe it makes more sense for the underlying risks to fall under the same category.

Please read this article for more information about how you should respond.

Improved design and functionality for vendor reports

We’ve improved the design and functionality of our vendor report.

Based on your feedback, we have reduced the amount of UpGuard branding on the cover page of the report and if you have custom branding enabled, you’ll see reports now include your logo on the cover page.

In addition to these design changes, you can now generate vendor reports from any instant report vendors. These improvements are designed to make the report more accessible and easier to understand for recipients whether they’re internal stakeholders or vendors.

Learn how to generate a vendor report.

Other fixes and improvements

• Changed font from Lato to Inter, a more modern typeface that is consistent with the new UpGuard website
• Fixed issue where switching between category and overall views on risk profile caused waivers and custom domains checkbox to become unticked

We made significant improvements to our emails. The most notable change is that you can now add company branding. Once enabled, your logo will appear at the top of any email sent by us to vendors or internal stakeholders. This makes it easier for recipients to understand who is making the request and will result in less back-and-forth between you and your vendors.

As part of these changes, we’ve also refreshed the design of our emails to make it easier for recipients to know what action they need to take next. This change means faster responses, better engagement, and less time spent chasing up requests.

Learn how to enable co-branding.

Remediation workflow for vulnerabilities

You can now request remediation of verified and unverified vulnerabilities in first and third-party remediation workflows. This is part of our ongoing work to improve our vulnerability management capabilities.

Learn how to request remediation from a vendor.

Export individual identity breaches

You can now export individual identity breaches as a PDF report or to Excel. The PDF report is a great way to communicate the extent of an identity breach to your internal stakeholders without having to invite them to UpGuard.

Learn how to export an identity breach.

Other fixes and improvements

• Improved in-product references to relevant knowledge base articles
• The Vendor Risk executive summary now shows the number of vendors your organization monitors over time
• You can now label your inactive domains and labels will remain when domains transition from inactive to active or active to inactive
• Data leaks reporting now shows all keywords including those with no results
  

We’ve expanded our vulnerability detection and management capabilities by differentiating between verified and unverified vulnerabilities.

As UpGuard scans from outside companies’ networks, there are some vulnerabilities we can confirm (verified vulnerabilities), but others we only know may exist (unverified vulnerabilities). When verified vulnerabilities are detected, you’ll also be able to see them on your, and your vendors’, risk profiles and use them in our remediation and risk waiver workflows.

In addition, you now can ignore unverified vulnerabilities to remove them from the vulnerabilities list. This is different from a risk waiver because you are signaling that the risk doesn’t exist, as opposed to a risk waiver where you are accepting the risk.

To learn how to use our vulnerabilities feature, see our articles on UpGuard BreachSight vulnerabilities and UpGuard Vendor Risk vulnerabilities.

Audit log

Administrators can now see an audit log of important events in the UpGuard platform and who actioned them.

This will allow you to see, for example, who has logged in, who has had their permissions changed, whether an UpGuard employee has viewed your account, when a questionnaire has been sent, when a risk assessment has been published, and much, much more.

Learn about the events tracked through our audit log.

Six new questionnaires

As part of our continued investment in the platform, we’re releasing six new questionnaires:

• COBIT 5 Security Standard Questionnaire: Assesses compliance against the Control Objectives for Information and Related Technologies Framework created by ISACA.
• ISA 62443-2-1:2009 Security Standard Questionnaire: Assesses compliance against the ISA 62443-2-1:2009 standard for industrial automation and control systems.
• ISA 62443-3-3:2013 Security Standard Questionnaire: Assesses compliance against technical control system requirements associated with the seven foundational requirements (FRs) described in IEC 62443-1-1.
• GDPR Security Standard Questionnaire: Assesses compliance against the personal information disclosure requirements outlined in the European Union's General Data Protection Regulation (GPDR).
• CIS Controls 7.1 Security Standard Questionnaire: Assesses compliance against the best practice guidelines for cybersecurity outlined in 20 CIS Controls.
• NIST SP 800-53 Rev. 4 Security Standard Questionnaire: Assesses compliance against the security and privacy controls required for all U.S. federal information systems except those related to national security.

Other fixes and improvements

• We’ve broken up Documents & Contacts into two separate pages (Documents and Contacts)
• Documents now includes all file-based evidence for a vendor and is categorized by source: general documents, additional evidence, or questionnaire responses
• Documents added as additional evidence are now available in the vendor’s Documents & Contacts
• Prioritized typosquatting results to first show homogylphs with only one substitute character and where characters look similar to the original domain.
• UpGuard analysts can now redact a sensitive URL on a data leaks finding
• Improved the readability of cookie-based automated scanning results
• Added parked domain detection for registrar CSC
• Fixed an issue where users on Chromebooks couldn’t upload files
  

We added a new downloadable report to UpGuard. Now you can generate a report that outlines the security posture of any monitored vendor and share it. Reports can be configured to include automated scanning, questionnaires, and additional evidence, or be based on completed risk assessments. It’s also a nice way to introduce UpGuard to your colleagues, board members, or vendors without having to invite them to the platform.

We also added context around each identified risk and remediation recommendations that can be used to drive decision-making, speed up vendor due diligence, and drive remediation efforts.

Learn how to generate a vendor report

Additional evidence

At the start of August, we released additional evidence to select customers. Since then we have improved the functionality. We’re excited about this as it enables many of you to capture risks identified in documents that your vendors have proactively published to their websites. Starting today, additional evidence is available for all UpGuard VendorRisk users and we’ll keep improving it over time.

Learn how to capture additional evidence

Other fixes and improvements

• Reports can now be archived and deleted
• Added search to reports page
• Improved search and filter functionality to support renamed vendors
• Increased max vendor name length from 50 characters to 150 characters
• Fixed bug when extracting risks from completed questionnaires
• Several fixes to read-only users including removing their ability to dismiss notifications

We've released a new feature called additional evidence in closed beta that will roll out to the entire user base in two weeks. If you would like access now, please get in touch.

While we recommend you use UpGuard's security questionnaires and automated scanning tools to assess your vendors, in some situations you may need to capture additional evidence about a vendor.

For example, you may send a questionnaire to a large SaaS vendor only to be directed to a page on their website that hosts complete security questionnaires, audit reports, and certificates. These documents provide insights into the vendor's security posture and attack surface.

Additional evidence allows you to capture and store this security or compliance-related documentation and associate any identified risks. Once identified, you can choose to include these risks in the vendor's risk profile, and cite them as part of a risk assessment.

Learn how to capture additional evidence here.

Other improvements and fixes

• Data leaks customers can now see search results from the dark web and Google searches

A common misconfiguration for WordPress sites is to expose the names of users. We now display the actual user list in the UpGuard platform when this risk is detected.

Additionally, we now explicitly check for old versions of WordPress that have known vulnerabilities that can be exploited.

Other improvements and fixes

• You can now retrieve the current set of risks from a vendor via our API.
• Risks are now prepopulated when you request remediation through the Portfolio Risk Profile.
• Questionnaire due dates can now be changed. If you want to change a questionnaire's due date, click on the questionnaire, click the "actions" button, and then click "Set due date".
• You can now export to PDF and Excel in more places.
• When you have filters active and export data to PDF, the PDF that is generated will now display the filters you used.
• The check for certificates that are about to expire now triggers when a certificate is within 20 days of expiring, rather than 30. This change is designed to reduce the number of false positives as some popular certificates (like LetsEncrypt) can be set to automatically renew when there are less than 30 days to expiry.

In addition to our API, UpGuard uses webhooks to notify other applications when an event happens in your account. This could be when an identity breach or data leak is detected, the security rating of a vendor drops below a threshold, or when a user requests access to your Shared Profile.

Our improved webhook integration allows you to customize the payload you send to the webhook. This means you can push data into our systems without having to support our default payload format.

If you’re an UpGuard account admin, you can set up new and configure existing webhook integrations from Account Settings -> Integrations, or by clicking here.

If you need a hand setting up your first integration, please read our article on how to integrate UpGuard with other services.

Vulnerabilities are now available through our API

The UpGuard API now lets you return the list of vulnerabilities detected for your organization and your vendors. Click here for details.

Other improvements and fixes

• When you filter your vendor portfolio based on labels you can now choose whether you want to see vendors that match any of the labels applied or restrict the results to only vendors who have all labels applied.
• You can now export from the "Vendors" page in Excel and PDF formats

We're releasing a new feature for our Data Leaks customers called Data Leaks Reporting. It provides detailed analytics on the keywords you have provided us.

You'll be able to see which research results were classified as safe (by our algorithms or analysts), and which resulted in findings.

Please note: This feature will be rolled out over the coming week. In the meantime, be sure to check out our knowledge base article on Data Leaks Reporting.

If you are a current UpGuard customer and are interested in the Data Leaks module. Please contact your Technical Account Manager or click the chat widget in the lower right corner of your screen.

UpGuard Vendor Risk

We've made some enhancements to the export functionality of Portfolio Risk Profile. You'll now notice that when you export data it will include the details of the specific risks identified at each vendor.

Read our knowledge base article on how to export from the Portfolio Risk Profile for more information.

UpGuard BreachSight

We've also improved the export functionality of Vulnerabilities. When you export vulnerabilities, we now include the description of the CVE in the export.

If you would like to learn more about our Vulnerabilities module, read our knowledge base article here.

We've made it easier to control who has access to your Shared Profile. You can now choose to give access to any registered UpGuard user or only to people you explicitly approve.

For context, a Shared Profile makes it easier to respond to security queries by allowing you to proactively publish information, such as completed security questionnaires or a SOC 2 report, alongside your security rating.

This saves your team time by allowing you to share vital information for potential and current customers without having to respond to the same questions over and over.

If you haven't contacted us to enable the Shared Profile functionality and would like to use it, please do so via support@upguard.com or via the chat widget in the bottom right-hand corner of your screen.

And if you'd like to configure your company's Shared Profile or access level, you can do so from the "My Shared Profile" page.

Go to My Shared Profile

Improved knowledge base

To help you and your team get up to speed with existing and new features inside the UpGuard platform - we're rolling out a new knowledge base.

If you want us to explain how to use any of our features or what we consider best practices, please reach out to us and we'll do our best to accommodate.  

Go to the UpGuard Knowledge Base