Learn about addressing risks, vulnerabilities, and typosquatting
This guide discusses functionality from across product tiers and may reference functionality not available on your account.Your UpGuard rating is visible to you in Breach Risk and to others in Vendor Risk. Improving your score by addressing risks and vulnerabilities not only improves your security posture but also improves your score (e.g. what others can see about your public security posture).
Step 1: Evaluate and address risks
Start with the most critical risks in the highest weighted category and take one of the following actions:
- Request risk remediation (strongly recommended). Assign the remediation to the appropriate team member to have them fix the risk. Rescan at any point to validate that the risk has been remediated.
- Waive risks (when remediation is not possible). When waiving, you’ll be able to: include a justification of why this is not a risk and/or list controls in place to remediate the risk.
- Public waivers. Available for any Vendor Risk customer to accept (if they wish). When someone accepts a public waiver, they’ll see an altered score that takes the accepted waiver into account.
- Internal waivers. Waivers that are only visible and available to your team within Breach Risk.
Tip: use the calculator in the risk remediation workflow to see the impact a fix will have.
Step 2: Address vulnerabilities
UpGuard uses proprietary algorithms to scan public sources (e.g. HTTP headers, website content, and open ports) and identify vulnerabilities. Vulnerabilities are classified into one of four categories (listed below from most important to least):
Known Verified
- Affects your score.
- Vulnerability is on CISA's list of known exploited vulnerabilities.
- UpGuard has found that one of your websites is running a specific software version with this vulnerability.
- UpGuard has confirmed that the vulnerability exists for your domain(s).
Recommendation: Remediate the vulnerability.
Known Unverified
- Do not affect your score.
- Vulnerability is on CISA's list of known exploited vulnerabilities.
- UpGuard has found that one of your websites is running a specific software version with this vulnerability.
- UpGuard cannot confirm if the vulnerability exists for your domain(s).
Recommendation: Investigate to determine if this is or is not a vulnerability to you. Remediate or ignore accordingly.
Verified
- Affects your score.
- Vulnerability is on CISA's list of known vulnerabilities.
- It is unknown whether or not the vulnerability is currently being exploited.
- UpGuard has found that one of your websites is running a specific software version with this vulnerability.
- UpGuard has confirmed that the vulnerability exists for your domain(s).
Recommendation: Investigate to determine if this is or is not a vulnerability to you. Remediate or ignore accordingly.
Unverified
- Does not affect your score.
- Vulnerability is on CISA's list of known vulnerabilities.
- It is unknown whether or not the vulnerability is currently being exploited.
- UpGuard has found that one of your websites is running a specific software version with this vulnerability.
- UpGuard cannot confirm if the vulnerability exists for your domain(s).
Recommendation: Investigate to determine if this is or is not a vulnerability to you. Remediate or ignore accordingly.
Step 3: Typosquatting
The Typosquatting module monitors permutations of your domain and flags ones that are potential typosquatting risks.
Check the module for any potential threats and take one of two actions:
- Use Takedown domain to visit icann.org and begin the takedown request process.
- Ignore domain if you’ve confirmed that this permutation is not problematic.