Request vendor response to risk advisory

Tiffany Hale Updated by Tiffany Hale

Requests for vendor response empowers security teams to quickly gather information from vendors impacted by major security advisories (e.g., supply chain compromises, zero-day vulnerabilities).

A screenshot of the request for information modal

Creating a request

  1. From the detail drawer of any risk advisory, there's a call to action at the bottom to "Request vendor response"
  2. Users can select from their existing vendor relationships:
    1. Filter by tiers, tags, business units, business cases, data types to hone in on the right relationships
    2. Choose multiple relationships, or quick-select every relationship in your population
Relationships that do not have a third party contact cannot be included in the request. Please provide a contact on the relationship page to include that relationship in the request.
  1. Once you've selected you vendors, navigate to the section titled "What should we ask for?" Add and create questions for vendors to respond to. You have the power to get context-specific, actionable answers instead of generic attestations.
  2. Just like a regular assessment, use the "Advance settings" section to define how to proceed with collection timelines, vendor non-response, and follow up options.
  3. Send the request for information in one click. The third party contact for each relationship will receive a collection request with your specific questions included.

FAQ

Can I send a risk advisory request to all vendors at once?
Yes. You can bulk-select all vendor relationships, but the system will automatically exclude vendors missing a valid contact or those already under assessment.
What happens if a vendor doesn’t respond?
In "Advanced settings", you can choose how to handle non-responses—options include escalation, marking the request incomplete, or closing it.
Can I customize the vendor questions?
Absolutely. The setup modal includes open text fields for you to input questions for your org. Don't know where to start? Agent can help you analyze impact and construct outreach directly from the advisory details.
Where do I track vendor responses?
You can track vendor response in the relationship page. In the artifact list, view the "Questionnaire" artifact to review your vendor's response.
How long do advisory requests remain active?
Each advisory has an expiration date (e.g., 30 days from publication). Requests must be sent and responses collected within that window.

How did we do?

Configuring assessment defaults

Contact