UpGuard Release Notes

Learn about new features, changes, and improvements to UpGuard this month.

We’ve made some improvements to make it easier for you to track and manage Identity Breaches. We’ve improved filtering so you can now filter the list of breaches by severity, specific data types exposed, number of people involved, and date. This follows on from recent changes to assign an identity breach to users within your organization, and add comments to the breach to track your progress and activity. 

To learn more see How to collaborate on Identity Breaches.

Improved risk assessments including pre-filled commentary template - now in BETA

We’ve made improvements to the risk assessment workflow to make it more intuitive and flexible including:

• Improvements to the commentary section, by providing a more flexible template, divided into sections to give you more flexibility to present the risk assessment report according to your needs.
• Addition of more merge tags so you can pre-fill vendor information including scores, tiers and attributes so you can generate comprehensive pre-filled commentary for your risk assessment.

To learn more see How to use the vendor risk assessment framework (BETA).

These improvements are now available in limited release to our BETA customer group. Talk to your account manager if you would like to get early access to these features.

Configure risk visibility for questionnaire recipients

Vendor Risk customers now have the option to disable risks from questionnaires, or configure how the risk is shown to the vendor. This allows greater flexibility in both custom questionnaires and UpGuard template questionnaires. To learn more see How to configure risk visibility within questionnaires.

Other improvements

• Additional vulnerabilities. We’ve added support for detecting the version and associated vulnerabilities for many more products. 
• Schedule a report for generation using the public API. Report types supported are Board Summary Report, Board Summary Presentation, BreachSight Summary, BreachSight Detailed, VendorRisk Executive Summary, Vendor Summary, Vendor Detailed. Generated reports can be retrieved through the use of supplied email address(es), a webhook URL or via a secondary API call to obtain a download URL.
• This release also includes a number of bug fixes

The launch of our AI Autofill tool makes it faster and easier for your vendors to respond to security questionnaires, delivering accurate, high-quality results. AI Autofill utilizes the recipient’s past questionnaire responses to make smart suggestions, allowing them to spend less time on painful, manual copy-and-paste processes, and more time focusing on fine-tuning responses and improving their answer repository. Find out more about How to use AI Autofill and our AI Toolkit.

Improved ability to collaborate on identity breaches

We’ve made it easier to collaborate and resolve identity breaches. You can now assign an identity breach to users within your organization, and add comments to the breach to track your progress and activity. To learn more see How to collaborate on Identity Breaches.

Scoring change to TLS and End of Life software risks

We’ve adjusted the impact of risks for end-of-life software products and additional TLS validation. These risks were previously provisional, and have now been updated with a score impact that reflects the risk they pose.

Other improvements

• We’ve improved the risk assessment framework to better reflect that they are a point-in-time assessment. Questionnaires and other evidence used in risk assessments are now snapshotted, and will not be affected by any activity that happens after the risk assessment. 
• We’ve released a new version of our ServiceNow Third-Party Risk Management integration, certified for the upcoming Vancouver release. 
• This release includes a number of bug fixes.

We’ve made it easier for you to convert documents included with questionnaires and general documents into additional evidence. This allows you to easily classify and add risks to these documents, and use them as part of your vendor risk assessments. To learn more see How to capture additional evidence.

Detection of Citrix ShareFile and Ninja Forms WordPress plugin amidst active exploitation 

Citrix ShareFile has been targeted by attackers to exploit CVE-2023-24489. We now identify which sites are running ShareFile so you can ensure they have been updated to the current version. We also identify sites using the Ninja Forms WordPress plugin, which is being targeted via CVE-2023-37979, CVE-2023-38386, and CVE-2023-3839.

Vulnerability detection for many JavaScript libraries

Our JavaScript vulnerability detection has been extended to include Bootstrap, Chart.js, Handlebars, and many other popular libraries to ensure that websites you depend on aren’t affected by frontend vulnerabilities.  

Other improvements

• This release includes a number of bug fixes
• Improvements to collection of dark web posts will capture more breach announcements

This feature makes populating vendor attributes instant and easy. You’ll now be able to automatically apply tiers, labels, portfolios or custom attributes to your vendors, based on answers collected from an internal relationship questionnaire. With flexible logic and the ability to create simple or complex automation rules, this feature reduces the manual effort required to collect and store information about your vendors, and makes it easy to apply consistent logic across your entire vendor portfolio. 

Automation will be available to Vendor Risk customers on Professional, Corporate and Enterprise plans, and is currently being rolled out to a closed beta release group. To join the beta, get in touch with your Customer Success representative. 

New vulnerability detections added

• We now detect the actively exploited Ivanti / MobileIron vulnerabilities  CVE-2023-35078, CVE-2023-35081, and CVE-2023-35082.
• We also detect two Wordpress plugins that are being actively exploited, Advanced Custom Fields and Essential Addons for Elementor. 
• Unverified vulnerabilities have been added for websites using AngularJS. 

Other improvements

• Vendor Risk customers can now archive shared questionnaires and additional evidence, to keep your questionnaires view up to date and free of clutter. 
• This release also contains a number of bug and performance fixes

You can now create and save custom report templates in the Reports Library, including the ability to add custom commentary and configure which elements to include in your report. Templates can then be used by you and others in your organization to run custom reports. 

We have also made some further improvements to the report Library display and navigation to make it quicker and easier to find and run the reports you need.

The navigation improvements and the ability to customize reports is available to all users, but the ability to save custom templates for re-use is limited to customers on Professional plans and above. 

To learn more about custom reports see How to create a custom report template.

New Vulnerability detections added

• We now detect jQuery vulnerabilities. These are based on the version of the library in use, and are marked as unverified vulnerabilities with no score impact.
• Added detections for new vulnerabilities in Atlassian Bamboo (CVE-2023-22506) and Confluence (CVE-2023-22505, CVE-2023-22508). 
• Improved version detection for Citrix Gateway and ADC vulnerabilities CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467. These vulnerabilities are also known to be exploited and should be investigated if detected. 

Other improvements

• Improvement to questionnaire builder to allow for optional free text field to be added against single-select and multi-select (radio/checkbox) questions 
• This release includes a number of bug fixes

This release we’ve introduced a new bulk upload tool for additional evidence in Vendor Risk. Adding additional evidence is vital to maintaining an accurate view of your vendors—and a huge time-saver when it comes to performing faster risk assessments without the need for lengthy questionnaires. Learn more about additional evidence. 

UpGuard’s integration is now compatible with ServiceNow’s latest version

For customers utilizing our ServiceNow integration, you can rest assured that it is compatible with the Utah version of ServiceNow, as well as previous versions Tokyo and San Diego. 

Other improvements

• This release includes a number of bug fixes

This release includes expanded sources for reputation risk detection, improvements to reporting templates, as well as additional evidence enhancements and more. 

Improvements to reputation risk detection

This release includes expanded sources for reputation risk detection, to ensure your assets are better protected against malicious actors. We’ve improved a number of areas, including detection of domains and IPs that are communicating with command and control servers, suspected of brute force login attempts, conducting unsolicited scanning, distributing malware, and hosting phishing sites. These improvements also provide visibility of when a domain or IP has been mistakenly flagged on one of the reputation lists, and allow corrective action to be taken.

UpGuard collects reputational risk data from a variety of sources. We include the source of the data in the risk’s “actual” value so that you have transparency into the information being used.

Board summary report now available as a PowerPoint presentation

Fans of our board summary reporting template will rejoice, as you can now download this report as an editable PowerPoint document for easy customization and sharing. 

Other improvements

• It is now easier to see when you’ve saved documents against your vendors that might help in your assessment of them—like a SOC2 report, or ISO 27001 certificate. You can now add  “Evidence” and “Questionnaires” columns to the Vendors page, and filter by additional evidence and questionnaire types. 
• There is now an informational risk present for use of TikTok Analytics.

Learn about new features, changes, and improvements to UpGuard this month.

We have made several improvements to BreachSight reports in this release, including the addition of a new subsidiary report.

• BreachSight report: we’ve improved visualizations as well as added flexibility to build custom reports and add custom commentary.
• Organizations that include subsidiaries: the new subsidiary report allows you to run a detailed risk report for your organization and its subsidiaries and compare the performance of subsidiaries over time. 

To learn more about the changes see How to generate a BreachSight report and How to generate a BreachSight Subsidiaries report.

Other improvements

• Improvements to Vendor Risk Waivers allowing increased flexibility to select and edit domains/IPs or questionnaires included in the risk waiver. 
• Enhanced filters for questionnaires. With these new filters, you can easily sort through shared assets based on their status, making it even easier to keep track of all important documents and information provided by your vendors.
• A new Post Breach questionnaire type is now available in the Questionnaire Library. This questionnaire is designed to be sent to a vendor following a breach.
• This release also includes a number of bug fixes.

In this release we have made a number of improvements to Vendor reports and the Board summary report. These include improved visualizations as well as increased flexibility to build custom reports and add custom commentary. To learn more about the changes see How to generate a vendor report and How to generate a board summary report.

Other improvements

• Scheduled reports which were previously only available for higher plans are now available to all customers. To learn more see What are recurring reports.
• We’ve improved the custom vendor attributes feature to allow multi-select set lists. To learn more about how to use custom vendor attributes to store information about your vendors see How to use custom vendor attributes.
• We’ve made a change to make it clearer to vendors that a questionnaire has been archived, preventing vendors from editing them. 
• We’ve made some improvements to the recently released Questionnaire changes view feature to make navigating to see changes even easier. To learn more see How to compare responses using the Questionnaire Changes View.
• We’ve added low severity risks related to TLS, including use of insecure cipher suites, common or weak Diffie-Hellman primes, and weak public keys. These will initially be released as provisional with no score impact.
• We’ve made improvements to asset geolocation, now showing the location of the IP address rather than the IP owner.
• This release also includes a number of bug fixes.

Today we’re releasing a new tool called AIEnhance, to help vendors respond faster and more accurately to questionnaires. Powered by AI, this feature is the first of its kind, as it allows vendors to turn short bullet points or rough draft notes into full sentence responses with the click of a button. It can correct grammatical mistakes, remove typos, and improve responses instantly without having to leave the questionnaire.

This feature is now in beta, available to all vendors who have been sent an UpGuard standard questionnaire. It is not yet available on custom questionnaires. We welcome feedback as we continue to make it easier and faster to respond to questionnaires. Learn more about AIEnhance.

Improved IP range presentation

The IP Ranges tab will now only show ranges that are wholly owned by the organization you are viewing. 

Risk for VMWare daemon

We will now raise a high severity risk when the VMWare authentication daemon is publicly exposed, a service that is used in products including ESXi. 

Informational risk for Meta Pixel

We will now raise an informational risk when we detect the Meta/Facebook Pixel. While this technology can be implemented benignly, it has been involved in several data breaches where personal health information was improperly transmitted to Meta via the tracking Pixel. 

Improvements to additional evidence 

Vendor Risk customers now have more flexibility to track additional evidence that is attached to a monitored vendor, with these changes:

• Additional evidence risks are now able to be edited
• New additional evidence document classification types have been added, alongside the ability to add your own custom types

For more information about these changes see  How to capture additional evidence.

Other improvements

• This release includes a number of bug fixes