UpGuard Release Notes

We’ve improved our scanning, adding new risks to identify software that is past its end-of-life date, including indicating end-of-life date. End-of-life software no longer receives updates, including for security issues. Using this software is extremely risky as it is likely to have vulnerabilities without patches, and those vulnerabilities are often targeted by threat actors.

To see any end-of-life software risks affecting your organization, login to your Cyber Risk account.

Improve visibility of status for Managed Vendors

We’ve added new Service Status and Analyst Notes fields to the Managed Vendors page to help organizations using Third-Party Risk Management Services to easily see the status of their requests. To learn more about these changes and Third-Party Risk Management Services see How to request a managed service.

Other improvements

• This release includes a number of bug fixes

These two features which have been in limited beta are now available to all eligible customers. This release also includes additional Excel exports available across the platform, improvements to questionnaire exports, and more. 

Portfolios for your domains in BreachSight

Asset portfolios provide a way to group your domains together to simplify asset management, enforce access controls, and segment reporting. Portfolios are flexible and configurable, allowing you to group assets however best supports your business—by region, business unit, or other internal structures. Newly discovered subdomains will automatically inherit portfolio membership from their parent, ensuring consistent visibility over dynamic footprints. To learn more see  How to use asset portfolios to segment your domains.

This feature is included in all Professional, Corporate and Enterprise plans. Otherwise, to get access to this feature get in touch with your Technical Account Manager or contact us via support@upguard.com. 

Public Risk waivers

To make it easy for you to share information about compensating controls with UpGuard users in other organizations, you can now share risk waivers that you create with organizations that monitor you as a vendor. To learn more see How to use public risk waivers in Breachsight. 

Vendor Risk users will be able to see if a vendor organization has any public (shared) risk waivers, review them, and choose whether to accept those risk waivers. To learn more see How to use public risk waivers in Vendor Risk.

Excel exports

To make it easier to extract and analyze the information and data you need, we’ve added a number of new Excel exports across the platform. New exports include: 

• Risk profile changes view
• Risk waivers
• Individual remediation requests
• BreachSight and Vendor Risk executive summary
• Subsidiaries

Improvements to questionnaire exports

We’ve made improvements to questionnaire exports to allow inclusion of messages and comments. We’ve also added more fields to questionnaire summary exports to help you track and report on questionnaire activity and status across your vendors. 

Other improvements:

• Updates to risks for non-standard HTTP & HTTPS ports
• This release includes a number of bug fixes

Learn about new features, changes, and improvements to UpGuard this month.

To promote your security rating to your customers and partners, you can easily embed our score badge on your website by clicking Share rating in the top right corner of any BreachSight page within the app. Visit How to add your security rating badge to your website to learn more. 

Public Risk waivers - BETA release

To make it easy for you to share information about compensating controls with UpGuard users in other organizations, you can now share risk waivers that you create with organizations that monitor you as a vendor. To learn more see How to use public risk waivers in Breachsight

Vendor Risk users will be able to see if a vendor organization has any public (shared) risk waivers, review them, and choose whether to accept those risk waivers. To learn more see How to use public risk waivers in Vendor Risk 

This feature is now available to Beta customers. If you would like to get early access, get in touch with your Technical Account Manager or contact us via support@upguard.com. 

Compliance reporting for new ISO 27001 (2022) questionnaire 

Following on from the recent release of the new ISO 27001 (2022) questionnaire, we’ve added a new framework to our compliance reporting to provide an easy way to assess the level of compliance that a vendor has against this standard. To learn more see What is compliance reporting in UpGuard Vendor Risk.

Other improvements

• Bulk IP address labeling – when importing lists of IP addresses, you can attach labels to them.
• This release includes a number of bug fixes. 

In this release we have added a new feature to store Trust and Security page links against each vendor organization, making it easier to source and access publicly available security information to perform risk assessments.

• We have added more than 4,000 links for relevant trust and security pages to the profiles of our most highly-monitored vendors. 
• Any organization that has a Shared Profile in UpGuard can add additional relevant links to their own profile, making them available to other organizations assessing them in the UpGuard platform.
• Vendor Risk users can also add links to the profile of any organization they are monitoring to use in their own vendor assessments.

To learn more see How to use Trust and Security pages in UpGuard.

Score change for public headers

The risks for security headers introduced in November 2022 have now been updated from unscored provisional risks to risks with score penalties applied. The penalties for these risks are averaged into the scoring algorithm, so there will be an equal number of domains that incur a score decrease as see a score increase, depending on whether they have implemented these controls at a lower or higher rate than average. You will see an indicator on the Risk Profile timeline so that changes in scores can be attributed to the introduction of penalties for these risks.

Portfolios view for your domains in BreachSight, now in beta

Asset portfolios provide a way to group your domains together to simplify asset management, enforce access controls, and segment reporting. Portfolios are flexible and configurable, allowing you to group assets however best supports your business—by region, business unit, or other internal structures. Newly discovered subdomains will automatically inherit portfolio membership from their parent, ensuring consistent visibility over dynamic footprints. This feature is now in a limited beta test. If you’d like to try it out, get in touch with your Technical Account Manager or contact us via support@upguard.com. 

Other improvements

• It’s now easier to find and use Shared Profile documents your vendor has uploaded. These can be found in the Questionnaires, Additional Evidence and Risk Assessments views. 
• We’ve added a warning if vendors try to submit questionnaire updates without making changes, to cut back on unnecessary steps.
• We’ve made some changes to the risk profile pages, adding a status column to improve visibility of risk waivers as well as remediation requests. We’ve also made it easier for you to edit your risk waivers if the scope changes.
• This release includes a number of bug fixes. 

This release includes two updates to questionnaires that we think you’re going to want to know about. Firstly, we’ve introduced a new version of our ISO 27001 questionnaire. This new version is in line with the ISO/IEC 27001:2022 standard which was published in late 2022. Secondly, we’ve added the ability for vendors to export the questionnaires from UpGuard, complete them, and import them back into the platform. Read on to learn more.

ISO 27001:2022 Questionnaire update

Now available in the Vendor Risk Questionnaire Library, this update brings our ISO 27001 questionnaire up to date with the latest standard. You will be able to continue to access both the previous version as well as the new one via the Questionnaire Library.

Questionnaire answer import tool – now in beta

Vendors can make use of this new feature to export questionnaires as .XSLX workbooks, add their responses offline, and then import them back to UpGuard to complete the process. This gives vendors the flexibility to complete questionnaires faster and more easily, in the tools of their choosing. This feature is now in beta, with feedback welcome. Learn more about it here. 

Other improvements

• We’ve made some layout and sorting improvements to the competitors table for subsidiary-type accounts. 
• This release includes a number of bug fixes.

Learn about new features, changes, and improvements to UpGuard this month.

‍

We have added additional risks for domains at risk of hijacking. In addition to existing checks for websites that can be taken over, we have now added detection for expired domains in MX record, which could be registered to compromise email security. 

To learn more see How does UpGuard detect sites at risk of subdomain takeover?

Add sorting to competitor analysis in BreachSight 

In the BreachSight Executive Summary, you can now sort the Competitor Analysis panel by name or score to more easily understand how your organization compares to peers.

Improved risk detection for primary domains 

When the example.com and www.example.com versions of a site are different, the risks associated with each version of the site are more accurately reported.

Other improvements

• Risk detection for Microsoft Exchange now uses the full build version for more accurate detection and resolution of vulnerabilities.
• Risks are now raised for domains that serve publicly listable cloud storage buckets. Buckets should be configured not to allow public file listing to prevent potential data leaks. 
• We have exempted more risks specific to Microsoft domains. Generally these risks pertain to SSL/TLS issues that do not appear exploitable and that the domain owners are not able to resolve. 
• Account administrators can now enforce MFA logins for all users in the account, without having to contact UpGuard support. This feature is available through the User Settings page, and only applies to users that are not using SSO authentication.
• We’ve streamlined the process for when you stop monitoring a vendor – now your open questionnaires and remediation requests will be automatically archived.
• This release includes a number of bug fixes.

Following on from the addition of risk assessment summary information to the Vendors page, we’ve added a new report showing risk assessment status across your vendors.

The report will give you a useful snapshot to help you:

• Track and follow up on the status of your in-progress risk assessments
• See which vendors are due for re-assessment, to help you plan for and schedule assessment activity 
• See which vendors have not been assessed, so you can plan for future assessments

To learn more see How to generate a vendor risk assessment summary report       

Additional risks for domain hijacking

We have added additional risks for domains at risk of hijacking. If a domain's DNS records point to an expired or unregistered domain, attackers can register that domain and gain access to part of the target's domain namespace. In this release we’ve added subdomain takeover detection for the following additional services:

• Shopify
• Campaign Monitor 
• Kajabi
• SmartJobBoard
• HatenaBlog
• Worksites
• Uptimerobot
• Help Juice

 To learn more see How does UpGuard detect sites at risk of subdomain takeover?

Incorporating Managed Vendors into Vendor Risk, and Data Leaks into BreachSight 

In order to simplify our navigation and product offering, we have removed the Cyber Research section in UpGuard. Existing customers will now find Data Leaks included in the BreachSight section, and Managed Vendors included in the Vendor Risk section of the application. There are no changes to entitlements, plans, or the service levels of these products.

Other improvements

• We’ve made a few more improvements to the Notifications page, to re-order sections and add clearer description text for some notifications. 
• This release includes a number of bug fixes.

UpGuard’s granular notification system supports many customisable settings that can be overwhelming at first glance. To ensure more effective use of this powerful system, we’ve overhauled the grouping, naming and descriptions of each type of notification. Now, setting up your email and in-app notifications on the Manage Notifications screen is easier to keep track of and understand.

Read more about notifications here:  What are notifications in UpGuard?

Additional risks for domain hijacking

We have added additional risks for domains at risk of hijacking. If a domain's DNS records point to an expired or unregistered domain, attackers can register that domain and gain access to part of the target's domain namespace. In this release we’ve added subdomain takeover detection for the following services: Agile CRM, Strikingly, Anima, Surge.sh.

To learn more see How does UpGuard detect sites at risk of subdomain takeover?

Ability to bulk-update custom vendor attributes

If you’ve been using custom vendor attributes to store important information such as contract expiry date, you will now be able to bulk-edit attributes from the vendors screen. Similar to how you manage tiers, labels and portfolios, this functionality will help you update and assign attributes more quickly and efficiently. 

To learn more see How to use custom vendor attributes. 

Other improvements

• In this release we’ve improved the speed of resolving risks relating to closed ports - risks are now resolved immediately when you request a rescan of a domain or IP.
• This release includes a number of bug fixes.

Learn about new features, changes, and improvements to UpGuard this month.

To make it faster and easier for you to keep track of risk assessment statuses across all your vendors, we’ve added an Assessment summary section to the Vendors page. This lets you quickly filter your view based on risk assessment status, so you can choose which actions to take next. 

We’ve also added Assessment author and Reassessment date as columns on the vendors table, and made it easier for you to tailor your vendors page to see the information that’s most important to you. To learn more see What is the Vendors section?

Amazon S3 subdomain takeover detection

To detect sites at risk of subdomain takeover, UpGuard now checks domains for DNS records that point to resources that are not in use and thereby available for others to register. We are rolling this out initially to provide checks on Amazon S3 buckets, with more information available here. 

Notifications for date-type vendor attributes

If you’ve been using custom vendor attributes to store important dates such as contract expiry date, you will now be able to create custom notifications for these date-type attributes. These notifications will help you keep track of these important dates and can be added as in-app messages in your activity stream or email notifications (email notifications are turned off by default).

To learn more see How to use custom vendor attributes.

Other improvements

• Risk Profile xlsx exports now include columns for Domain and IP Labels.
• When viewing the Domains page for your organization or for a vendor, you can now filter the list of domains by their associated risks.
• We have made some improvements to the questionnaire autofill feature to more accurately detect non-exact matches.
• This release includes a number of bug fixes.

‍