In this article:
Some features mentioned in this article may only be available with a paid SecurityScorecard plan. See our plans page for more information about levels of features and access.
Learn about the latest product updates, features, early release features, and improvements, in the SecurityScorecard platform.
For scoring recalibrations and other changes that affect Scorecard scores, see scoring update release notes.
November
Attribution Evidence in Issues CSV
You can now get assets, attribution evidence, associated issues metadata, and tags (user-contributed data) all within Issues CSV exports.
Learn more about managing your digital footprint
Attribution via DNS TXT record evidence
Use the DNS TXT record method to attribute assets to the right subsidiaries. SecurityScorecard will generate a unique string that you can use to update the DNS TXT record of apex domains.
Identify IPs associated with specific hostnames in Digital Footprint
Use new the new hostnames filter in the digital footprint helps identify IPs associated with specific hostnames.
Learn more about managing your digital footprint
Questionnaires request access workflow
Users who do not have access to a questionnaire can request access.
Learn more about redesigned questionnaires
New ServiceNow Security Incident Response (SIR) Module
The new SecurityScorecard ServiceNow SIR module is a plug-in app for SecurityScorecard ServiceNow ITSM.
Learn more about the ServiceNow Security Incident Response integration
TPRM Dashboard updates
Easily review different portfolios using the new multi-select option within the Portfolio section and combine multiple portfolios into a singular dashboard view. You can also export a PDF of the dashboard for sharing with stakeholders.
Learn more about the third-party risk management dashboard
Export Automatic Vendor Detection portfolio connections
Per detected vendors, you can now download the list of Portfolio connections from the Portfolio Connections drawer.
Learn more about Automatic Vendor Detection
October
Rapid score refresh for Custom Scorecards
Custom scorecards are now updated within one hour of creation or changes to the scorecard recipe.
Learn more about creating Custom Scorecards
Issue Type Updates
We have updated the following two Issue Types to "Informational". With this update, you will not see any score impact with these two issue types: Website Copyright Not Current and Telephony/VOIP Device Accessible.
New information architecture
The top line menu for the SecurityScorecard platform has been updated
JIRA Ticket Workflow Improvements
You can now assign issues to Jira project teams directly from scorecards and set parent-child hierarchies.
Learn more about the JIRA integration with SecurityScorecard
New design for Questionnaires
The redesigned questionnaire workspace provides a clear and intuitive layout, with improved organization and visibility of crucial information. Users can now complete questionnaires more quickly and accurately, saving time and reducing frustration.
Learn more about redesigned questionnaires
New getting started experience
Our new onboarding experience guides users through key features in the platform. Vendor risk managers will be guided on how to add, contact, and continuously monitor vendors easier and faster. Security engineers will be guided on how to improve their score, communicate security performance, and turn on alerts.
MAX document center
MAX customers can now access documents from service delivery teams within the MAX dashboard in the SecurityScorecard platform.
Learn more about the MAX dashboard
Search and generate reports with tags in Supply Chain Risk Intelligence
You can now select between Portfolios or tags in Supply Chain Risk Intelligence to generate a report.
September
Roles-Based Access Control (RBAC) Improvements
A new visualization tool allows admins to clearly see each user’s effective permissions. In addition, admins now have the ability to set default roles for new users, view private portfolios, add users in bulk, assign portfolios at the team level, control who can consume a slot, and disable API access.
Learn more about managing users and permissions
Move assets to the subsidiary scorecard and the proper owner
New self-serve capabilities allow admins to re-assign assets to a different subsidiary. Admins also have visibility if a specific asset is attributed to multiple subsidiaries.
Learn more about hierarchies and managing subsidiaries
August
Assign assets to IT teams in bulk
You can now select multiple Custom Scorecards and assign a specific IT team or user in one operation.
Learn more about Customer Scorecards
ServiceNow VRM Breach Incident Response Details
The SecurityScorecard VRM integration with ServiceNow TPRM now supports breach response data. You can now automate breach notifications within ServiceNow.
Learn more about ServiceNow integration
All Companies Updates
You can now navigate from the Vendor risk management dashboard to All Companies with a click when you have selected “All portfolio companies” as your selected portfolio. Notes can also be added to vendor details for internal communications. The import template now includes vendor details fields.
Learn more about All Companies
Showing Attribution Source Upfront in Digital Footprint
Infosec Managers can now view attribution source upfront - for attributing IPs and domains to their attack surface - in zero clicks. This helps your team build confidence for attribution and enables faster remediation.
Digital Footprint (domain tab)
Digital Footprint (IP tab)
Learn more about your Digital Footprint
Evidence Based Score Gain: All Evidence Types
Evidence-Based Score Gain is a methodology in which you can receive positive scores for uploading valid Evidence on the Evidence Locker. In the previous release, we enabled EBSG for SOC2 Type1 and SOC2 Type2 evidence types only. We are now expanding this to all the evidence types on the platform. The list of evidence types that will start to see score gain are listed below:
- SOC 2 Type 1 (already available)
- SOC 2 Type 2 (already available)
- ISO 27001
- PCI DSS Level 1
- NIST 800-53
- SIG
- HIPPA
- Privacy Policy
- Certificate of Insurance
- Pen Test
Learn more about Evidence-based Scoring
Enhanced SSC Login Experience
We have introduced a new platform login experience with:
- New login UX design
- New FIDO passwordless login (Learn more about FIDO Authentication)
- New SSO break-glass access
- More login options
Log in with a passkey
New SSO Settings (enabling break-glass access)
Setting FIDO passwordless login (based on FIDO2 protocol)
Scheduled Custom Reports
You can now send a direct link to the PDF file within a scheduled report email, providing your recipients with one-click access to the file.
July
New Questionnaires Overview page
The Questionnaires Overview page provides a more personalized experience by grouping vendors within the context of their overall lifecycle status and linking vendors back to the All Companies page.
Learn more about Questionnaires
Assignment Workflow
You can now assign ownership of assets (IPs and domains) and associated issues to individual members or a team.
Learn more about your Digital Footprint
All Companies
All Companies is a complete list of monitored vendors across all portfolios. You can use All Companies to all monitored companies in one place, including filtering, sorting, bulk editing, and exporting.
To enable All Companies, navigate to the Early Access Center and flip ON the option for “Manage all monitored vendors in “All Companies”.
Learn more about All Companies
Asset Remediation Workflow
Starting from the Digital Footprint page, you can now navigate to the exact issue findings that are associated with the asset you selected and remediate them. Simply identify any domain and IP and click on a specific issue to filter for the specific findings.
Telco IP AI Attribution Model
Security postures within the TICP industry (Telcos, ISPs, Cloud Providers) are more accurate with the introduction of an AI attribution model that continuously identifies customer IP or leased IP ranges.
June
Smart Answer for Questionnaires
Smart Answer is SecurityScorecard’s AI generated questionnaire responses solution. Simply upload a questionnaire and Smart Answer will leverage AI to autocomplete future questionnaires based on what was uploaded.
Role-Based Access Control for Questionnaires
Customer admins can add customizable permissions to questionnaires for their teams, enabling them to effectively manage their internal workflows and personnel. Go to Settings> User Permissions> Roles/Create a Role.
TPRM Dashboard
Quickly understand the current state of your vendor risk management program and take action on the things that matter most. The TPRM dashboard is the new landing page upon log-in.
Learn more about the TPRM dashboard
Filtering and Segmentation for Custom Scorecard API
Custom Scorecard filtering and segmentation capabilities featured in the SecurityScorecard UI are now available via API.
Splunk App Update
SecurityScorecard Splunk app and Splunk app add-on, now support Splunk versions: 9.2, 9.1, 9.0 on both Splunk Enterprise, Splunk Cloud.
ServiceNow VRM and ITSM App Compatibility with ServiceNow Washington DC
SecurityScorecard VRM and ITSM apps have been tested and recertified for compatibility with ServiceNow Washington DC release. This allows new customers that have upgraded to the Washington DC release to install both SecurityScorecard apps.
May
New vendor workflow from Action Plans in Supply Chain Risk Intelligence
When you create and assign an Action Plan for a vendor, they can come back into the platform and see detail into the particular report. When a vendor clicks on the Action Plan to open it, they can see a list of all the Infections, vulnerabilities, and high-risk products.
New Hacker Chatter Signals for Threat Intelligence
Two new Hacker Chatter Signals have been added to the platform, providing you with deeper visibility into threat actors' ongoing campaigns and targets. With real-time feeds from Dark Web sources, your team is able to react and improve your cyber defenses to repel, prevent, and stop the attacks from happening.
- Data Leak Detected: Provides visibility into data leaks that have been published by bad actors as well as the type of information and PII that has been released
- Domain Targeted By Threat Actor Group: Indicates if your organization is/was being targeted by bad actors
New comment column in Issue Findings table
You can now comment on specific issue findings on the Issue Detail page to improve communication with partners and vendors. Access permissions are view and edit for your own scorecard and view only for other scorecards.
Remediate Issues in Custom Scorecards
You can now submit remediations for issues via Custom Scorecard, which also automatically gets updated in the main source scorecard.
Learn more about Custom Scorecards
Updates to Vendor Invite Emails
Invited vendors will be given more context for the request and have links to additional help articles for any questions they may have on the task they are being asked to complete. You can also update your organization’s logo on the scorecard’s Company Profile and the logo will be added to the outgoing emails.
Learn more about inviting vendors
Search by Subdomains and CDN filter on Assets in Attack Surface Intelligence
You can search subdomains along with parent domains in Attack Surface Intelligence and use the new “Has CDN” filter to refine search results.
Add Company Modal Update
The process to add a company to your portfolio or watch list has been made consistent across the platform and offers several ways to add the company in one unified experience.
Add Contacts Modal Update
You can add a contact at any time to the organizations you follow from their portfolio list view and the scorecards themselves. In addition, you can bulk upload all of your vendor contacts.
April
Attribution Evidence Provenance
You can now view the whole chain of attribution - along with corresponding evidence - when you click on IP or a domain in Digital Footprint.
Schedule and share reports in PDF format via email
Send a direct link to the report’s PDF file within an email, providing recipients with a one-click access to the file without having to login or create an account to view.
Standardized CSV Reports
All CSV exports from SecurityScorecard now follow the same format. A specific naming convention that includes the timestamp, columns in the CSV will match the columns in the UI, and column names are consistent across the platform.
Quarterly and Annual Scheduled Reports
The report scheduler now includes the option to schedule reports to be sent quarterly and yearly in addition to daily, weekly and monthly.
March
Business impact by company
You can now select a business impact of Low, Medium, High, or Critical for each scorecard in your portfolios and on the scorecard itself. By providing a business impact rating, you will be able to more accurately see the associated risk of the organization based on the vendor’s score and impact.
Learn more about working with portfolios
Products with zero-days and Cloud Exposure view for Supply Chain Risk Intelligence
See which of your vendors have products with a known zero day vulnerability in the High-Risk Products view and which are storing data in the cloud with the Cloud Exposure view.
Addition of Related Domain Attribution Data
All related domains, including those manually added Ratings are now visible in Attack Surface Intelligence and Supply Chain Risk Intelligence.
Scorecard Overview Page
The Scorecard Overview Page is a single page where you can quickly evaluate various states of your organization's security posture and drill down to specific areas for further investigation. The Scorecard Overview Page speeds up risk evaluation by consolidating various data in one view and surfacing actionable items.
Learn more about the Scorecard Overview Page
Vulnerability Intelligence: Multiple Tech Stack Support
Create multiple tech stacks (list of products/versions, product/version inventory) for different business units or purposes like web apps and databases. Set up alerts and RSS feeds for each tech stack.
Ratings: Data Residency
Data Residency is now available for storing questionnaire responses in local AWS geo-location. Ensure compliance with your countries regulations, prevent data breaches, and maintain data privacy.
Ratings: Attribution Evidence in Digital Footprint CSV
Attribution source and corresponding evidence for attributing domains and IPs to your digital footprint can now be ingested via CSV. Infosec managers gain confidence around attribution and asset ownership identification, facilitating faster risk mitigation processes.
Example of Attribution Evidence in the Digital Footprint CSV
Ratings: Issue Severity Feedback
You now have the opportunity to provide feedback on issue severity. On the details page of each issue type, you can input whether or not you agree with an issue type's severity and breach risk being “high, medium, or low.” This allows us to better understand the level of severity your organization would apply to certain issue types.
Provide feedback on the Issue Type details page.
Ratings: CVSSv3 Data Filter
We’ve added a data filter to improve the quality of CVSSv3 data. This is expected to have a positive impact on your score.
Ratings: Continued Updates to Issue Type Descriptions, Risks, and Recommendations
You will continue to see updated issue types with clear descriptions, risks, and actionable recommendations that will help you resolve findings faster. The following issue types will be updated as a part of this release:
- Telephony/VoIP device accessible
- SPF Record Missing
- SPF Record Found Ineffective
- SPF record contains a soft fail without DMARC
- Malformed SPF Record
- Server error detected
- High severity content management system vulnerabilities identified
- Exposed Personal Information
- Exposed Personal Information (historical)
- SSL/TLS service supports weak protocol
Re-Use Previously Invited Contacts In Invitations
Contacts from Contact Manager are now re-usable with additional information on “Last Active Date” and Job Titles whenever you trigger a new email invite. This helps ensure you’re reaching out to the right person and will increase response rates.
Check the last active date, job title, and who a contact was added by when selecting the recipient of your invite.
February
Supply Chain Risk Intelligence: Action Plans
Action plans grant you the ability to click a button and send vendors evidence of threat activity in their environment that needs to be addressed. Your TPRM program owners can quickly and collaboratively address the vendor’s threat exposure in a language that the vendor’s SOC team understands.
Instantly share threat findings with your vendors to take action
Ratings: Executive Reports
Enrich your board-level discussions with a redesigned reporting center, showcasing new executive reporting widgets and templates tailored to address security risks as critical business concerns. With the ability to customize, contextualize, and annotate reports, it's easier to effectively tell a full story to the board regarding risk management and show the business impact of your organization’s security initiatives and investments.
Create custom reports using our new widgets and executive-level templates
Watch List Alerts for Score Changes
Set email alerts to be sent to your team for any score or grade drops in your Watch List.
Create a rule in Rule Builder for Watch List alerts
Evidence Locker: Non-Disclosure Agreement Workflows
You can now limit access to chosen documents in Evidence Locker until vendors have completed an NDA workflow. Simply upload your NDA, select which documents require signatures from vendors, and get alerted via email when requested signatures have been completed. This enhancement will provide additional protection for sensitive, confidential documentation.
Add an NDA requirement to your documentation
Evidence Locker: Request Access Workflows
Request access for private documents you do not have permissions for. Once you request access, an email will be sent to the document owner to approve or deny the request.
Request access to locked documentation. If the document owner grants access to the document, you will be notified via email.
MAX Dashboard
As a MAX customer, you now have an in-platform dashboard where you can view your TPRM risk and the work being done by the SSC team. The MAX dashboard provides your team with real-time visibility into how we’re monitoring your supply chain and resolving issues that are likely to result in an incident.
Score Smoothing
When viewing your score history, you now have the ability to turn on the score smoothing toggle to flatten the line of your trending historical score. Score smoothing simplifies analyzing and reporting on your score trends to the board and other key stakeholders.
Before the score smoothing toggle is turned on
After the score smoothing toggle is turned on
Learn more about score smoothing
Updates to Issue Type Descriptions, Risks, and Recommendations
You will start to see updated issue types with clear descriptions, risks, and actionable recommendations that will help you resolve findings faster. The following issue types have been updated as a part of this release:
- Site does not enforce HTTPS
- Website references object storage
- Unsafe implementation of subresource integrity
- Content Security Policy contains 'unsafe-' directive
- Website copyright is not current
- Session cookie missing "secure" attribute
- Website doesn't Implement HSTS best practices
- Server with expired certificate contacted
- Website does not implement X-Content-Type-Options best practices
- HTTP proxy service detected
- Website communicates with payment provider
- Insecure HTTPS redirect pattern
- Browser logs contain debug messages
- Site emits visible browser logs
- Site fails to load page components
- Certificate key is smaller than recommended size
- Link redirects to unsecure website
January
Attribution Event Log
Address questions about your attack surface with a log showing arriving and departing assets along with date of change, reason for change or related information.
Learn more about Attribution Event Log
Self-Serve Slot Purchasing
Business users can purchase 1-10 additional slots via self-service. This option becomes available to Account settings when you have reached 80% slot consumption.
ACH and Wire Transfers
You now have the option to make a purchase on the SecurityScorecard platform through wire transfer.
Supply Chain Risk Intelligence
Supply Chain Risk Intelligence provides a digestible and unified view of actionable intelligence to identify your riskiest vendors and show evidence to reduce threat exposure faster. Pre-built threat views including vulnerabilities, infections, breaches, and high-risk assets are available across your vendor portfolios.
Asset Tags in Issues CSV
Domain Tags and IP tags column is now available in the Issues CSV export.
Evidence-based score gain visible in Event Log
You are now able to track the positive score gained on the Events Log and get all the score updates on centralized location.
Learn more about Evidence-based score gain here
SecurityScorecard Integration for Microsoft Power BI
Cyber risk data from SecurityScorecard can now be used in Power BI to create meaningful queries, visuals and dashboards.
Learn more about integrating with Power BI here
Subsidiary Management v2
Customer admins in parent scorecard can now add missing assets (domains and IPs) in their subsidiary scorecards, based on updated hierarchy.
Learn more about updating your hierarchy and use Subsidiary Management