All Collections
UpGuard Vendor Risk
Vendors
What is the Vendors section?
What is the Vendors section?

Learn about what the Vendors section of UpGuard Vendor Risk contains and how you can use it to reduce third and fourth-party risk.

Abi Tyas Tunggal avatar
Written by Abi Tyas Tunggal
Updated over a week ago

The Vendors section of UpGuard Vendor Risk lets you find, monitor, and remove vendors instantly via our instant vendor search, or drill down to view more detailed information about your monitored vendors. 

You can keep track of vendor security ratings and your vendors' risk assessment status, as well as categorize your vendors by viewing, adding and editing tiers, portfolios labels and custom attributes.

You can customize your vendors table to display additional information such as custom vendor attributes and notes and retain this view for future sessions.

You can expand the Assessment Summary to see a summary of risk assessment status across your vendors and easily drill down by assessment status to manage and keep track of your risk assessments.

Similarly you can expand the Tier Summary to easily filter by tier.

You can also export the information on the vendors screen in both PDF and Excel format. Excel exports contain all the information on the Vendors screen including the optional columns included in the Show Fields list.

In addition to the information on the vendors screen, you can click on an individual vendor to see summary of their security posture. This page includes:

  • Risk management information including Risk assessment status, and Remediation, Questionnaire and Risk Waiver information

  • Company profile including industry information and classification information including Portfolio, Tier, Labels and Custom Vendor Attributes

  • Vendor security rating over the last 12 months

  • Score and risk breakdown broken down by categories including Website Security, Network security Brand & Reputation, Phishing and malware and Email security

  • Questionnaire score and risks

  • Vendor Geolocation

How Vendor security ratings are calculated

To understand how we calculate the security ratings for a vendor, it's helpful to start with how we calculate a security rating for an individual domain or IP address.

How we calculate the security rating for a single domain or IP address

To calculate a security rating for a domain or IP address, we run hundreds of individual checks across email security, website security, phishing and malware risk, 200+ services across thousands of ports, domain hijacking and man-in-the-middle risk, security questionnaire results, credential management, and reputational risk. 

This data is collected on a daily basis through commercial, open-source, and proprietary methods, allowing us to evaluate the external security posture of any Internet-facing asset.

The output of the data collection process is fed into our proprietary scoring algorithm to produce a score out of 950. The scoring algorithm is subtractive, in that assets start with a score of 950 and have points subtracted for each failed check.

The number of points deducted is based on the severity of the underlying risks, which we categorize as critical, high, medium or low risk.

The closer an individual asset's security rating is to 950, the better its external security posture and the lower its residual risk exposure. 

How we calculate the security rating of a vendor

To produce a vendor's security rating, we take a weighted average of all the security ratings of their domains and IP addresses. We then use a gaussian averaging algorithm to weigh lower scores more heavily to ensure low scores aren't masked by high averages. 

This produces a numeric grade for an organization, along with a letter grade as follows:

Additionally, we constantly add new checks based on the research our in-house security team does which means our scoring algorithm may change from time to time to better reflect what we consider a best-in-class security posture. 

The principles for fair and accurate security ratings

Security ratings are relatively new and carry their own risks. As noted by the Chamber of Commerce’s Principles for Fair and Accurate Security Ratings, ratings rely on data from a dynamic environment with many sources.

This is why UpGuard adheres to the Principles of Fair and Accurate Security Ratings:

  • Transparency: UpGuard believes in providing full and timely transparency not only to our customers but to any organization who wants to understand their security posture, which is why you can request your free security rating here and you can book a free trial of our platform here.

  • Dispute, Correction and Appeal: UpGuard is committed to working with customers, vendors and any organization who believes their score is not accurate or outdated.

  • Accuracy and Validation: UpGuard's security ratings are empirical, data-driven and based on independently verifiable and accessible information.

  • Model Governance: While the datasets and methodologies used to calculate our security ratings can change from time to time to better reflect our understanding of how to mitigate cybersecurity risk, we provide reasonable notice and explanation to our customers about how their security rating may be impacted.

  • Independence: No commercial agreement or lack thereof, gives an organization the ability to improve their security rating without improving their security posture.

  • Confidentiality: Any information disclosed to UpGuard during the course of a challenged rating or dispute is appropriately protected. Nor do we provide third-parties with sensitive or confidential information on rated organizations that could lead to system compromise.

Related Articles

Did this answer your question?