October 12 2020

Scoring algorithm improvements

We have made significant improvements to our scoring algorithm. From time to time, we adjust our scoring algorithm based on new information gleaned from industry trends, research, and customer feedback. It is important to note that our new scoring algorithm may have reduced the security rating of you and your vendors.

Here’s what improvements were made and why:

  • Lower scores are weighted more heavily: Ensures poor security on an individual domain or IP address is not “averaged out” by otherwise good security across an organization’s infrastructure. An organization is only as secure as its weakest link.
  • Greater emphasis on network security issues: Open ports, while not dangerous on their own, often expose vulnerable services. A great example of this risk is WannaCry, a ransomware cryptoworm that infected more than 300,000 computers by exploiting a zero-day in old versions of a network protocol called SMB. WannaCry was so successful because the SMB port is open by default on many legacy Windows machines.

As part of these improvements, we have combined our brand and reputation risk categories. Brand and reputation are two sides of the same coin and we believe it makes more sense for the underlying risks to fall under the same category.

Please read this article for more information about how you should respond.

Improved design and functionality for vendor reports

We’ve improved the design and functionality of our vendor report.

Based on your feedback, we have reduced the amount of UpGuard branding on the cover page of the report and if you have custom branding enabled, you’ll see reports now include your logo on the cover page.

In addition to these design changes, you can now generate vendor reports from any instant report vendors. These improvements are designed to make the report more accessible and easier to understand for recipients whether they’re internal stakeholders or vendors.

Learn how to generate a vendor report.

Other fixes and improvements

  • Changed font from Lato to Inter, a more modern typeface that is consistent with the new UpGuard website
  • Fixed issue where switching between category and overall views on risk profile caused waivers and custom domains checkbox to become unticked

October 1 2020

Better emails: Support for company branding and better calls to action

We made significant improvements to our emails. The most notable change is that you can now add company branding. Once enabled, your logo will appear at the top of any email sent by us to vendors or internal stakeholders. This makes it easier for recipients to understand who is making the request and will result in less back-and-forth between you and your vendors.

As part of these changes, we’ve also refreshed the design of our emails to make it easier for recipients to know what action they need to take next. This change means faster responses, better engagement, and less time spent chasing up requests.

Learn how to enable co-branding.

Remediation workflow for vulnerabilities

You can now request remediation of verified and unverified vulnerabilities in first and third-party remediation workflows. This is part of our ongoing work to improve our vulnerability management capabilities.

Learn how to request remediation from a vendor.

Export individual identity breaches

You can now export individual identity breaches as a PDF report or to Excel. The PDF report is a great way to communicate the extent of an identity breach to your internal stakeholders without having to invite them to UpGuard.

Learn how to export an identity breach.

Other fixes and improvements

  • Improved in-product references to relevant knowledge base articles
  • The Vendor Risk executive summary now shows the number of vendors your organization monitors over time
  • You can now label your inactive domains and labels will remain when domains transition from inactive to active or active to inactive
  • Data leaks reporting now shows all keywords including those with no results

September 16 2020

Improved vulnerability detection and management

We’ve expanded our vulnerability detection and management capabilities by differentiating between verified and unverified vulnerabilities.

As UpGuard scans from outside companies’ networks, there are some vulnerabilities we can confirm (verified vulnerabilities), but others we only know may exist (unverified vulnerabilities). When verified vulnerabilities are detected, you’ll also be able to see them on your, and your vendors’, risk profiles and use them in our remediation and risk waiver workflows.

In addition, you now can ignore unverified vulnerabilities to remove them from the vulnerabilities list. This is different from a risk waiver because you are signaling that the risk doesn’t exist, as opposed to a risk waiver where you are accepting the risk.

To learn how to use our vulnerabilities feature, see our articles on UpGuard BreachSight vulnerabilities and UpGuard Vendor Risk vulnerabilities.

Audit log

Administrators can now see an audit log of important events in the UpGuard platform and who actioned them.

This will allow you to see, for example, who has logged in, who has had their permissions changed, whether an UpGuard employee has viewed your account, when a questionnaire has been sent, when a risk assessment has been published, and much, much more.

Learn about the events tracked through our audit log.

Six new questionnaires

As part of our continued investment in the platform, we’re releasing six new questionnaires:

  • COBIT 5 Security Standard Questionnaire: Assesses compliance against the Control Objectives for Information and Related Technologies Framework created by ISACA.
  • ISA 62443-2-1:2009 Security Standard Questionnaire: Assesses compliance against the ISA 62443-2-1:2009 standard for industrial automation and control systems.
  • ISA 62443-3-3:2013 Security Standard Questionnaire: Assesses compliance against technical control system requirements associated with the seven foundational requirements (FRs) described in IEC 62443-1-1.
  • GDPR Security Standard Questionnaire: Assesses compliance against the personal information disclosure requirements outlined in the European Union's General Data Protection Regulation (GPDR).
  • CIS Controls 7.1 Security Standard Questionnaire: Assesses compliance against the best practice guidelines for cybersecurity outlined in 20 CIS Controls.
  • NIST SP 800-53 Rev. 4 Security Standard Questionnaire: Assesses compliance against the security and privacy controls required for all U.S. federal information systems except those related to national security.

Other fixes and improvements

  • We’ve broken up Documents & Contacts into two separate pages (Documents and Contacts)
  • Documents now includes all file-based evidence for a vendor and is categorized by source: general documents, additional evidence, or questionnaire responses
  • Documents added as additional evidence are now available in the vendor’s Documents & Contacts
  • Prioritized typosquatting results to first show homogylphs with only one substitute character and where characters look similar to the original domain.
  • UpGuard analysts can now redact a sensitive URL on a data leaks finding
  • Improved the readability of cookie-based automated scanning results
  • Added parked domain detection for registrar CSC
  • Fixed an issue where users on Chromebooks couldn’t upload files

September 2 2020

New vendor risk report

We added a new downloadable report to UpGuard. Now you can generate a report that outlines the security posture of any monitored vendor and share it. Reports can be configured to include automated scanning, questionnaires, and additional evidence, or be based on completed risk assessments. It’s also a nice way to introduce UpGuard to your colleagues, board members, or vendors without having to invite them to the platform.

We also added context around each identified risk and remediation recommendations that can be used to drive decision-making, speed up vendor due diligence, and drive remediation efforts.

Learn how to generate a vendor report

Additional evidence

At the start of August, we released additional evidence to select customers. Since then we have improved the functionality. We’re excited about this as it enables many of you to capture risks identified in documents that your vendors have proactively published to their websites. Starting today, additional evidence is available for all UpGuard VendorRisk users and we’ll keep improving it over time.

Learn how to capture additional evidence

Other fixes and improvements

  • Reports can now be archived and deleted
  • Added search to reports page
  • Improved search and filter functionality to support renamed vendors
  • Increased max vendor name length from 50 characters to 150 characters
  • Fixed bug when extracting risks from completed questionnaires
  • Several fixes to read-only users including removing their ability to dismiss notifications

August 6 2020

Additional evidence

We've released a new feature called additional evidence in closed beta that will roll out to the entire user base in two weeks. If you would like access now, please get in touch.

While we recommend you use UpGuard's security questionnaires and automated scanning tools to assess your vendors, in some situations you may need to capture additional evidence about a vendor.

For example, you may send a questionnaire to a large SaaS vendor only to be directed to a page on their website that hosts complete security questionnaires, audit reports, and certificates. These documents provide insights into the vendor's security posture and attack surface.

Additional evidence allows you to capture and store this security or compliance-related documentation and associate any identified risks. Once identified, you can choose to include these risks in the vendor's risk profile, and cite them as part of a risk assessment.

Learn how to capture additional evidence here.

Other improvements and fixes

  • Data leaks customers can now see search results from the dark web and Google searches

July 21 2020

Improved WordPress information

A common misconfiguration for WordPress sites is to expose the names of users. We now display the actual user list in the UpGuard platform when this risk is detected.

Additionally, we now explicitly check for old versions of WordPress that have known vulnerabilities that can be exploited.

Other improvements and fixes

  • You can now retrieve the current set of risks from a vendor via our API.
  • Risks are now prepopulated when you request remediation through the Portfolio Risk Profile.
  • Questionnaire due dates can now be changed. If you want to change a questionnaire's due date, click on the questionnaire, click the "actions" button, and then click "Set due date".
  • You can now export to PDF and Excel in more places.
  • When you have filters active and export data to PDF, the PDF that is generated will now display the filters you used.
  • The check for certificates that are about to expire now triggers when a certificate is within 20 days of expiring, rather than 30. This change is designed to reduce the number of false positives as some popular certificates (like LetsEncrypt) can be set to automatically renew when there are less than 30 days to expiry.

July 7 2020

Improved webhook integrations

In addition to our API, UpGuard uses webhooks to notify other applications when an event happens in your account. This could be when an identity breach or data leak is detected, the security rating of a vendor drops below a threshold, or when a user requests access to your Shared Profile.

Our improved webhook integration allows you to customize the payload you send to the webhook. This means you can push data into our systems without having to support our default payload format.

If you’re an UpGuard account admin, you can set up new and configure existing webhook integrations from Account Settings -> Integrations, or by clicking here.

If you need a hand setting up your first integration, please read our article on how to integrate UpGuard with other services.

Vulnerabilities are now available through our API

The UpGuard API now lets you return the list of vulnerabilities detected for your organization and your vendors. Click here for details.

Other improvements and fixes

  • When you filter your vendor portfolio based on labels you can now choose whether you want to see vendors that match any of the labels applied or restrict the results to only vendors who have all labels applied.
  • You can now export from the "Vendors" page in Excel and PDF formats

June 23 2020

We're releasing a new feature for our Data Leaks customers called Data Leaks Reporting. It provides detailed analytics on the keywords you have provided us.

You'll be able to see which research results were classified as safe (by our algorithms or analysts), and which resulted in findings.

Please note: This feature will be rolled out over the coming week. In the meantime, be sure to check out our knowledge base article on Data Leaks Reporting.

If you are a current UpGuard customer and are interested in the Data Leaks module. Please contact your Technical Account Manager or click the chat widget in the lower right corner of your screen.

UpGuard Vendor Risk

We've made some enhancements to the export functionality of Portfolio Risk Profile. You'll now notice that when you export data it will include the details of the specific risks identified at each vendor.

Read our knowledge base article on how to export from the Portfolio Risk Profile for more information.

UpGuard BreachSight

We've also improved the export functionality of Vulnerabilities. When you export vulnerabilities, we now include the description of the CVE in the export.

If you would like to learn more about our Vulnerabilities module, read our knowledge base article here.

June 10 2020

We've made it easier to control who has access to your Shared Profile. You can now choose to give access to any registered UpGuard user or only to people you explicitly approve.

For context, a Shared Profile makes it easier to respond to security queries by allowing you to proactively publish information, such as completed security questionnaires or a SOC 2 report, alongside your security rating.

This saves your team time by allowing you to share vital information for potential and current customers without having to respond to the same questions over and over.

If you haven't contacted us to enable the Shared Profile functionality and would like to use it, please do so via support@upguard.com or via the chat widget in the bottom right-hand corner of your screen.

And if you'd like to configure your company's Shared Profile or access level, you can do so from the "My Shared Profile" page.

Improved knowledge base

To help you and your team get up to speed with existing and new features inside the UpGuard platform - we're rolling out a new knowledge base.

If you want us to explain how to use any of our features or what we consider best practices, please reach out to us and we'll do our best to accommodate.

May 27 2020

We’ve released a new feature for UpGuard Vendor Risk customers called Portfolio Risk Profile. Explore this feature in the UpGuard platform.

It allows you to view the overall risk profile of your vendor portfolio in a single place. For example, you can filter down based on specific risks (e.g. open FTP port) or see all the risks associated with vendors that are labeled as “in-use”.

You can read more about what the Portfolio Risk profile is here, learn how to use its filter functionality here, and learn how to export data here.

In other news, you can now filter Executive Summary Reports across UpGuard Vendor Risk and UpGuard BreachSight.

You can filter by label or score range in the UpGuard Vendor Risk Executive Summary and by label in the UpGuard BreachSight Executive Summary. To apply a filter, click on the “Apply filters” button in the top right-hand corner of your screen.

We’re also investing in our user interface to ensure the UpGuard platform remains consistent, deliberate, and easy to use. Expect more improvements over the next few weeks.

UpGuard Vendor Risk

In summary:

  • Released the Portfolio Risk Profile
  • Added filtering for UpGuard Vendor Risk Executive Summary
  • Improved the UI

UpGuard BreachSight

We’ve improved our typosquatting module. It now checks for permutations based on other top-level domains. For example, if you are monitoring “example.com” we will now return permutations such as “example.net

In summary:

  • Improved typosquatting module
  • Added filtering for the UpGuard BreachSight Executive Summary
  • Improved the UI

May 12 2020

We’ve greatly improved the report export functionality across the UpGuard platform. You can now export your own or a vendor’s risk profile to Excel. The Excel file contains a row for each combination of risk and domain / IP.

You’ll also notice that reports reflect any filters you have in place, such as label-based or score-based filtering. To try this out, log in to the UpGuard platform > go to your Risk Profile > apply a filter > click export.

You’ll see there is an option to apply active filters, as well as to export to PDF or Excel.

Additionally, we’ve made some changes to how we report on and classify domains and IP addresses across both UpGuard Vendor Risk and UpGuard BreachSight:

  • When a domain or IP is removed (from a vendor’s infrastructure or your own), you will now see a corresponding event in the “changes” view.
  • Domains with open ports are now classified as “active” to better reflect an organizations attack surface. Prior to this, domains with open ports but no website or email configuration were classified as “inactive”.
  • Parked domains at several registrars are now considered “inactive”. If you have parked domains that do not appear inactive, please contact UpGuard Support and we can set them as “inactive”.

We also made a small change to our scoring engine. The "HTTP still accessible" check will now fail for domains that respond with a 4xx/5xx HTTP status code over plain HTTP. Previously only sites responding with 200 failed this check.

UpGuard Vendor Risk

We’ve made UpGuard Vendor Risk specific improvements:

  • Domains and IPs are now viewable from Risk Assessments. This means when you conduct a risk assessment on a vendor, you can use the list of Domains and IPs monitored by UpGuard, as well as their associated risks, as part of the evidence for that assessment.
  • We’ve made some improvements to how we collect fourth-party information for our Concentration Risk and Supply Chain modules. If you would like to know more about these modules, please contact UpGuard Support.

UpGuard BreachSight

We’ve made UpGuard BreachSight specific improvements:

  • The Identity Breaches API now includes the data classification for each branch, such as whether it contains passwords, PII, or other sensitive information.
  • Vulnerability alerts are now grouped into a single email. This means if you enable email notifications for new CVEs discoveries, we will only send you one email per day that outlines all impacted domains and IPs. You can manage your notifications by clicking here.

April 28 2020

We've made some changes to how we are structuring the sidebar in the UpGuard CyberRisk. The Executive Summary is now split into two separate pages:

This better reflects the nature of the data contained in each page and ensures there is a consistent separation between UpGuard Vendor Risk and UpGuard BreachSight. Additionally, we've reordered some other menu items to improve usability.

Other product-wide improvements in this release include:

  • Deeplinking. If you click an UpGuard link, such as an email notification, and are not logged in, after logging in you will be redirected to the page you were trying to access
  • Category scores. We've improved our API and have made category scores available through the Vendor List API endpoint
  • Revoked certificate check. This is a new check part of our automated scanning

UpGuard Vendor Risk improvements

We've improved the ability to drill down into specific details on the UpGuard Vendor Risk Executive Summary, you can now:

  • See which vendors fall within each score range in Current Risk Ratings Breakdown
  • Navigate to the details of a specific vendor in Highest and Lowest Rated Vendors
  • See what products your vendors are using in Supply Chain Risk Section

Additionally, we've now:

  • Display supported file types on the Documents and Contacts page.
  • Have a new app or email notification type for when a Risk Assessment is published. If you would like to receive these notifications, head to the Notifications page.

UpGuard BreachSight improvements

We've improved the UpGuard BreachSight Executive Summary by:

  • Allowing you to add up to ten competitors to Competitor Analysis

Additionally, we've made a few small improvements:

April 14, 2020

Over the next week, we'll be rolling out a change to how we display domains and IPs in the UpGuard platform.

Going forward, we will display inactive domains and IPs across your own infrastructure and that of your vendors. We previously only reported on active domains and IP, e.g. ones running a website or with MX records. We track many more domains than what appears in the active section and now provide a way for you to view these.

UpGuard Vendor Risk improvements

We’ve also improved the design and usability of our new Risk Assessment feature, making it easier to create and read risk assessments. As always, if you’d like to try the feature please let us know via support@upguard.com.

And if your account is configured to factor in questionnaire scores into the overall score of a vendor, you will now see a breakdown of the score on their risk profile and vendor summary page. 

In short, we now show the total score, questionnaire score, and score based on automated scanning. 

UpGuard BreachSight improvements

We’ve added new functionality and data to the Identity breaches module:

  • You can now send email notifications to those who are exposed in third-party data breaches. This is a good way to remind staff about the appropriate use of work email accounts, discourage staff from reusing passwords, or to remind people to change their passwords.
  • Breaches can now be archived once you have processed them, e.g. once you’ve notified impacted employees.
  • Our data set of breaches now includes additional breaches that were discovered by the UpGuard Cyber Research team.

March 19, 2020

We launched a new feature called Risk Assessment. This feature is currently available on request, if you would like access please email support@upguard.com

Risk Assessment allows you to:

  • Specify the evidence you reviewed as part of the assessment (including questionnaires and automated scan results)
  • Document your findings based on this evidence
  • Record who conducted the assessment
  • Export the assessment as a PDF
  • Make the assessment visible within the app to all the users of your account

UpGuard Vendor Risk improvements

We've also released two Pandemic questionnaires designed to help you assess your vendors' readiness to deal with the current pandemic, as well as improved PDF report generation. 

When you export information to PDF, it will now appear in the sidebar under a new menu item called "Reports". This also fixes the bug where generating reports for large vendors would sometimes time out. 

UpGuard BreachSight improvements

We've added an API that returns information about your company's identity breaches, made it easier to tell which domains and IPs you've added manually, and pushed quite a few bug fixes and minor tweaks.

February 19, 2020

  • New Vendor Summary: When you look up a vendor, the first page you see is now a new Vendor Summary. This provides a management-level view of the vendor, and can also be exported as a pdf.
  • Enhanced Risk Profile: We’ve made a number of improvements to the Risk Profile page, including the ability to filter by risk category (e.g. website risks, email risks, etc.)
  • Websites & APIs is now called Domains and IPs
  • Greatly enhanced port scanning: We now explicitly check for nearly 200 services running across thousands of ports. We also report any services that we can’t identify, and any open ports where no services are detected.
  • We’ve made some changes to our scoring algorithm: Updated email security checks: this includes a new check for the DMARC policy (which fails if p=none). For information on email security, see https://www.upguard.com/blog/email-security
  • Improved checking for open ports/services: As part of enhancing our port scanning capability, we have reviewed and updated the severity of risks associated with open ports/services. The HSTS checks now include a check against the Chromium preload list. If a domain is on the preload list, all HSTS checks pass for that domain and all its subdomainsUpdated domain status checks for .au domains: We no longer check for clientTransferProhibited or serverRenewProhibited on .au domains, as they are not applicable
  • Changes to open ports can now be reflected in CyberRisk sooner, by pressing the “RESCAN” button. When a port is closed, manually requesting a rescan of the website will now detect the change to the port sooner (usually within a day).
  • WHOIS lookup within Typosquatting: When you view a registered permutation of a domain you are monitoring for typosquatting, you can now see that permutation’s WHOIS information
  • New Questionnaires: We have added questionnaires for PCI DSS, CPPA, and Modern Slavery.

January 22, 2020

  • Export Vulnerabilities: You can now export the list of vulnerabilities
  • Better domain discovery: We’ve made further improvements to our domain discovery engine, which results in more domains and subdomains being discovered.
  • Various usability tweaks and bug fixes

December 23, 2019

We have released a new questionnaire that is mapped to NIST CSF. To use this questionnaire, you'll first need to enable it from the "Questionnaire Library" section of Vendor Risk. When one of your vendors completes a questionnaire, any risks identified will be mapped to the corresponding CSF control categories. 

December 11, 2019

  • Share your security profile: Make it easier for other companies to assess your cybersecurity posture by proactively publishing security-related information including questionnaire responses and other security documents. Control who has access to these documents, and see who has viewed them. Invite companies to view your Shared Profile when they are assessing you, and spend less time completing security questionnaires. Contact UpGuard Support to enable your Shared Profile.
  • Export questionnaires: Download completed questionnaires as pdfs.
  • Questionnaire workflow improvements: When you receive a completed questionnaire, mark it as “in review” to keep track of who in your team is reviewing which questionnaire response.
  • API enhancements: Data leaks are now available through the API. See the API documentation for more details.
  • Various bug fixes

November 11, 2019

  • Executive Summary Report: We’ve created a new report to provide a summary of your own cybersecurity posture, and that of your vendors. We’ll be activating it for existing customers over the next week or so.  As part of this change you’ll notice the “Dashboard” page has been replaced with two new pages - the "Executive Summary", and a dedicated “Notifications” page.
  • Enhanced file upload feature for questionnaires: When providing evidence as part of responding to a security questionnaire, you can now point to a file that you've already uploaded. This allows the same file to be referenced as evidence for multiple questions without having to upload multiple copies of it.
  • Various bug fixes, including some display issues related to the Microsoft Edge browser.

October 16, 2019

  • You can now receive notifications when your company's score drops below a certain threshold, or by a certain number of points.  To opt in and out of these notifications, use the "manage notifications" link on the dashboard page. To customise the set notifications available to users in your account, go to Account Settings -> Notifications (admin users only).
  • The Insecure SSL/TLS Versions check now fails for TLSv1.1, in addition to SSLv2, SSLv3, and TLSv1.0. See RFC 7525 for more detail on why TLSv1.1 should be disabled.
  • We fixed a bug where for some websites we would incorrectly report old versions of TLS as being available.
  • We improved the way we display vendors who's primary domain does not have a website running on it.

September 18, 2019

  • WordPress scanning: Whenever we detect that a site uses WordPress, we now run a series of additional security checks. These checks identify configuration problems that leave WordPress sites vulnerable to attack.
  • Supply Chain Concentration Risk (beta):  We have launched a beta of a new feature which highlights where companies in your supply chain (e.g. your vendors) rely on common underlying technology (e.g. hosting providers, email providers).  Contact UpGuard Support if you would like early access to this feature. 
  • The character limit for messages you include when sending questionnaires has been increased from 300 to 1000
  • Various bug fixes

September 3, 2019

  • We’ve improved the way we display your list of vendors and instant reports.
  • You can now search for vendors by URL as well as name
  • We’ve improved the way questionnaires are displayed, including making it easier to view the risks, and improving the question numbering
  • We've changed the algorithm for scoring questionnaires to improve the way unanswered questions are weighted.
  • We’ve improved the way “Assurance” customers view their customer portfolio

August 7, 2019

  • You can now add custom labels to your websites in BreachSight, just like the labels you can already add to your vendors in VendorRisk. You can then use labels to filter websites on all pages where your websites are shown.
  • UpGuard has now been added as one of your monitored vendors in VendorRisk, if you were not monitoring the UpGuard vendor already. This will not count towards the available monitored vendor slots in your account. If you are not using VendorRisk already, you will now be able to access it, with UpGuard as your only monitored vendor.
  • We've improved our risk model for redirect domains. These are domains that redirect users to a different domain, and do not themselves host a website. Before this change, if example.co.uk redirected to example.com, some of the risks that we scan for were only being identified on example.com, and example.co.uk was not being checked for all possible risks. With this change, all risks applicable to example.co.uk will now be correctly identified. The most significant new risks that you may start seeing on redirect domains are related to HTTPS support and SSL certificate issues. You may notice some fluctuations in website scores as this change is rolled out, but the end result will be a more accurate reflection of the risks associated with these domains.
  • It's now easier to manage your Cyber Risk API keys from your account Settings page. You can have multiple active API keys, and specific keys can be deleted. This allows API keys to be rotated more easily, when required.
  • Various bug fixes.
  • You will now be notified on your Cyber Risk dashboard when we release new features in future. Keep an eye out for the notification.

July 23, 2019

  • You can now add "private" notes to questionnaires and remediation requests. These are visible to users of your account, but not to the recipients of the questionnaire or remediation request.
  • We've improved how we present your own score. When we display your own company's score to you, we can draw on public information (such as the configuration of your websites) as well as private information (such as which vendors you have marked as "in use"). This lets us provide the most complete view of your security posture. When someone else (another CyberRisk customer) looks up your company however, we report your score based only on the publicly available information. This has caused some confusion, and to address this, we've changed the way you see your own score on your "Risk Profile" page. You can now choose to either see your "public" score, or also factor in the private data you have provided.
  • When you manually request a scan for a given website, we are now rescanning for open ports on that website more quickly. At times it may still take a while for refreshed port scan data to flow through, but it should often appear within 10 minutes or so. Note that when ports change from "open" to "filtered" (as opposed to "closed"), it will still take up to 30 days for changes to flow through.
  • When you manually request a scan for a given website, and the scan fails (for instance, if the website is no longer running) we now report the failure, as well as how many times it's failed previously, and when the website will be removed (after 4 consecutive failures).
  • You can now request remediation or create a risk waiver from the Risk Profile page, or while looking at the details of a specific website.
  • We fixed a problem with vulnerabilities where some websites that use shared IP addresses would have vulnerabilities incorrectly assigned to them.
  • We've made a number of UI improvements and bug fixes

July 9, 2019

  • We now allow vendors to be filtered by a score range, and use this to provide a clickthrough from the vendor breakdown on the dashboard.
  • We have extended vendor filtering to cover the contents of the dashboard (including the vendor breakdown) and the remediation list.
  • We have created a questionnaire library, allowing account admins to easily configure which questionnaire types are able to be selected and sent by their users.It also allows non-admin users to browse and preview those questionnaire types that have been selected for the account.
  • Various bug fixes

June 26, 2019

  • The Data Leaks workflow has been simplified. Now there are only 3 states for a Data Leak - Disclosed, Acknowledged, and Closed. The Closed status still includes the reason for closure (Fixed, Not a Risk, or Risk Accepted), and can be verified by an UpGuard analyst as an additional final step.
  • The Documents list on the Questionnaire Details page now includes all documents relevant to the questionnaire, and whether they have been included or not. This allows users to easily see which documents have been uploaded and which have been omitted.
  • Users can now include a message when requesting remediation, which will be visible to the recipient.
  • Users must now include a "justification" when creating a risk waiver which will be visible to the approver, if one exists. If there is a separate approver, their justification will be shown separately.
  • Score history (up to a year if the data is available) is now enabled by default for all accounts.
  • There is a new action in the Actions dropdown to "Send a message" available on the Questionnaire Details screen. This prompts the user to enter a message in the Correspondence section.
  • Admin users can now remove themselves from an account, as long as there is at least one other admin user on the account.
  • Various bug fixes and cross-browser improvements.

June 12, 2019

We have added several major new features to the CyberRisk platform:

  • Risk Waivers: Use risk waivers to accept risks and hide them from your risk profile. This is especially useful when you have compensating controls in place which you believe mitigate the risk. Currently risk waivers can be applied to risks identified with your own Internet-facing assets (your own “Web Risks” identified in BreachSight). 
  • Enhanced Vulnerabilities Detection: We have improved the way we detect vulnerabilities, both with your own web assets (in BreachSight), and those of your vendors (in VendorRisk). We also explicitly check for the recently discovered BlueKeep vulnerability.
  • Typosquatting Detection: We have launched a new module to help you manage your typosquatting-related cyber risk. You can choose which domains you want to monitor, and then review and monitor the registered and unregistered permutations of these domains for suspicious activity. Contact UpGuard Support to arrange access.

We have made a few other changes too:

  • When viewing a list of websites (“Web Risks”), you can now view as a tree to make it easier to navigate subdomains
  • Various bug fixes

April 17, 2019

We have just released a new version of CyberRisk, which brings several minor enhancements and a number of bug fixes:

  • Attachments now supported in-line within questionnaires, rather than all being at the end of a questionnaire. This makes it easier to correlate specific questions with evidence (documents).
  • When you start monitoring a vendor, you can now apply custom labels (as well as the built-in labels).
  • In VendorRisk, you can now see the date that your allocation of Instant Reports rolls over.
  • Various bug fixes

April 5, 2019

  • Integrations: CyberRisk now enables you to call out to external Webhooks when notifications (events) are generated. For instance, you may want to send a message to one of your internal systems whenever a new data leak is detected. 
  • VendorRisk - view unanswered questions: When viewing the details of a questionnaire there is now a panel which shows which questions have not been answered.
  • VendorRisk - Disable “Questionnaire Marked as Complete” emails to vendors: When you mark a questionnaire as “Complete”, CyberRisk previously sent an email back to the recipients of that questionnaire, telling them you have marked it as complete. The purpose of this was to give your vendor feedback that you are satisfied with their response, and have completed the review process. Based on user feedback, this email no longer gets sent unless you explicitly activate it. This is done (by an account admin) in the “Questionnaires” tab of the “Account Settings”.
  • Various bug fixes
Did this answer your question?