Name: Product Security Hub
Brand: Product Security Hub
Price: Contact for pricing USD
Availability: OnlineOnly
Rating: 5 (1 reviews)

Product Security Hub 20251216.1 (December 16, 2025) Click to expand / collapse

ProdSecDesigner
- Diagramming
  - Added the ability to automatically add components to the Components tab based on diagram data.
  - Introduced "Add from Diagram" button on the Components page and "Add to Components" button on the Diagrams page for seamless data transfer.
  - Implemented automatic component matching using diagram labels and attributes against existing components list.
  - Added support for updating diagram components when component names or descriptions are changed via an "Update Diagram from Components" workflow.
- Risk & CVSS Scoring
  - Fixed bug where enabling CVSS 4.0 while disabling 3.1 in product details caused incorrect PMCVSS values and vector strings to display in the full product export to Excel.
  - Workaround: Enable both CVSS 3.1 and 4.0 in product details to display both scoring versions on the Residual Risks tab.
- SBOM Scan History
  - Enhanced the SBOM Scan History page to clearly identify scan type (Automated Scan vs. User-initiated scan with username).
  - Improved reporting to support audit trails and vulnerability tracking workflows.

Product Security Hub 20251001.1 (October 1, 2025) Click to expand / collapse

ProdSecDesigner
- AI Capabilities
  - Introduced initial AI Capabilities for generating content on the threats, requirements and residual risk pages.
  - Provide the ability for a user to enable/disable AI content generation in the product details.
- SBOM Scan Notifications
  - Introduced a notification window that provides real-time feedback when SBOM scans are completed or fail.
- Risks Page
  - Added a redesigned Risk Modal to improve editing and visualization of risk entries.
  - Introduced a CVSS v4 justification field for threats and risks to support better documentation and scoring transparency.
- Threat Model Report
  - Added the ability to generate a printable Threat Model report.
- SBOM Scan History
  - Added a page to view previous SBOM scans including date, initiator, and number of vulnerabilities discovered.
- Import Bug Fixes
  - Fixed bugs related to Requirement import, resolving format mismatch and data integrity issues.
  - Fixed bugs related to Vulnerability import, correcting problems in field mapping and validation logic.

Product Security Hub 20250728.1 (July 28, 2025) Click to expand / collapse

ProdSecDesigner
- Residual Risk Page
  - Added support for CVSS v4 scoring on the Residual Risk page to align with modern vulnerability scoring practices.
- Threats and Risks Pages
  - Introduced individual detail pages for both Threats and Risks to improve traceability, review, and reporting workflows.
- Vulnerability Management Page
  - Implemented paging (pagination) to improve performance and usability when displaying large datasets.
- SBOM Scanning
  - Fixed multiple bugs in the SBOM scanning process that previously caused inconsistent results or failures with certain formats.
  - Added ability to generate and download a new SBOM Scan Report to support evidence collection and documentation.
- Vulnerability & Requirements Import
  - Resolved issues that caused improper handling of certain field mappings and missing data when importing vulnerability or requirement files.

Product Security Hub 20250513.1 (May 13, 2025) Click to expand / collapse

ProdSecDesigner
- Software Composition Analysis (SCA) Enhancements & Bug Fixes
  - Integrated SBOM Scanning (SCA) feature to allow vulnerability scanning against Google OSV, configurable by tenant.
  - Fixed dashboard display bug and resolved CycloneDX SBOM export/import issue.

Product Security Hub 20250408.1 (April 8, 2025) Click to expand / collapse

ProdSecDesigner
- Threat and Requirements Import
  - New import functionality added to the Threats and Requirements pages, supporting file-based updates using PSH templates.

Product Security Hub 20250407.1 (April 7, 2025) Click to expand / collapse

ProdSecDesigner
- SBOM Import
  - Updated CVSS scoring interface with usability improvements.
  - Unique ID column is now hidden by default across all pages.

Product Security Hub 20250324.1 (March 24, 2025) Click to expand / collapse

ProdSecDesigner
- Product Dashboard & Export Features
  - Dashboard now optionally shows # of Threats, SBOMs, and Components.
  - New export capability added for JSON output.
  - Requirements now support linking to multiple threats.
  - Added individual pages for requirement details.

Product Security Hub 20250310.1 (March 10, 2025) Click to expand / collapse

ProdSecDesigner
- SBOM Enhancements & Dashboard Update
  - SBOMs now include license information per CycloneDX spec.
  - Added “Last Update Date” and “Last Update By” to the Product Dashboard.
  - Resolved multiple SBOM import and component display bugs.

Product Security Hub 20250106.1 (January 6, 2025) Click to expand / collapse

ProdSecDesigner
- CVSS Calculator & Threat Fixes
  - Added CVSS 3.1 Calculator to Threats page (optional).
  - Fixed duplicate threat entries and incorrect dashboard content display.
  - Completed updates to threat logic from previous release.

Product Security Hub 20241210.1 (December 10, 2024) Click to expand / collapse

ProdSecDesigner
- Threat Logic & SBOM Enhancements
  - Resolved issues with threat status transitions.
  - Added unique row IDs to UI tables.
  - Picklists for vulnerabilities sorted numerically.
  - Bulk SBOM component delete added.
  - Fixed display of deleted vulnerabilities in Threats page.

Product Security Hub 20241112.1 (November 12, 2024) Click to expand / collapse

ProdSecDesigner
- Global Data Update
  - Global data fields are now stored locally in each tenant’s environment to prevent unintended changes from global updates.e)

Product Security Hub 20241014.1 (October 14, 2024) Click to expand / collapse

ProdSecDesigner
- SBOM Import
  - When importing an SBOM with vulnerability data, the Rating’s “source” field was changed from mandatory to optional to enable importing files that missed this information and alinged to CycloneDX spec (bug fix)
  - When importing an SBOM that does not contain SBOM “version” metadata, the version on the SBOM Dashboard is no longer replaced (bug fix)
- Threats Page and Threats Export
  - Renamed the “Design Feature Mitigation” column to “Recommended Mitigations” (new feature)

Product Security Hub 20241007.1 (October 7, 2024) Click to expand / collapse

ProdSecDesigner
- SBOM Pages
  - When an SBOM with a large amount of records (~ over 800) was imported, the performance on the page was impacted significantly and in some cases caused ProdSecDesigner to timeout. Improvements were made to fix the performance issues (bug fix)

Product Security Hub 20240923.1 (September 23, 2024) Click to expand / collapse

ProdSecDesigner
- Global Change
  - Updated .net6 to .net8, as .net6 is out of support in November 2024 (new feature)
  - Added Role Based Access Controls – to the tenants and products to enable read-only or full control and the ability for a tenant admin to administer their own permissions (new feature)
- Vulnerability Management Page
  - Added the ability to select multiple vulnerabilities and delete them vs individually clicking delete (new feature)
ProdSecMaturity
- Released updated demographic questions as part of the 2024 MDIC/Apraciti Medical Device Cybersecurity Benchmarking Effort (new feature)

Product Security Hub 20240903.1 (September 3, 2024) Click to expand / collapse

ProdSecDesigner
- Component Page
  - When a component is deleted, the associated SBOMs and vulnerabilities will now be deleted as well (new feature)
- Residual Risk Page
  - The Search on the Risks page will now search requirements not met, requirements met, all addendums, including those not displayed due to the field chooser. (new feature)
- SBOM Page
  - Updated the CycloneDX plugin from 6.0.0 to 7.0.1 (new feature)
  - For SBOM imports with VEX data, the “Method” field used in Vuln Ratings will no longer be mandatory (new feature)
- Vulnerability Management Page
  - The Vulnerability Mgmt page will no longer display orphaned data for Time Until Patch Available, Number of Devices Impacted, Number of Devices Patched, and Time Patch Available after a Patch is deleted (new feature)
  - New fields added to the PSH Vulnerabilities Dashboard: “Time Until Patch Available”, “Number of Devices Impacted”, “Number of Devices Patched”, “Time Patch Available Until Patched” and the Patches page includes the new field “Date All Devices Were Patched” (new feature)
- Exporting
  - Requirement text that was not relevant will no longer be included in the SecurityRequirement field in the exports
  - 4 new fields visible on the Vulnerability dashboard will be exported: Time Until Patch Available, Number of Devices Impacted, Number of Devices Patched, Time Patch Available Until Patched – and 1 new field on the Patch dashboard will be exported: Date All Devices Were Patched (new feature)
ProdSecMaturity
- Added NIST Cybersecurity Framework Version 2 as a maturity assessment option (new feature)

Product Security Hub 20240805.1 (August 5, 2024) Click to expand / collapse

ProdSecDesigner
- Global Change
  - Paging was implemented across ProdSecDesigner pages to split large amounts of records into pages, with a page navigation bar at the bottom of each ProdSecDesigner page when necessary (new feature)
- Exporting
  - Exports from the My Product Dashboard were updated to include a new tab that lists all requirements in the grouped view (where requirements include the group of components that are applicable instead of an unique requirement per component) (new feature)
  - Exporting CycloneDX SBOMs without vulnerabilities from the SBOM page has been added (new feature)
- Residual Risk Page
  - A Scoring Justification field was added to the risks page to be used for explaining how scores were generated (new feature)
  - Fixed a crash when importing using the blank template on the Risks page (bug fix)
- Requirements Page
  - The ability for a user to set a default view of Grouped or Ungrouped Requirements has been added on the Product Details page (new feature)
  - Fixed a bug where Requirements are reverted to Status = WIP and added back to Threats with applicability = No after adding a new Component (bug fix)
- Vulnerability Management page
  - New fields added to the PSH Vulnerabilities Dashboard: “Time Until Patch Available”, “Number of Devices Impacted”, “Number of Devices Patched”, “Time Patch Available Until Patched” and the Patches page includes the new field “Date All Devices Were Patched” (new feature)

Product Security Hub 20240708.1 (July 8, 2024) Click to expand / collapse

ProdSecDesigner
- Product Dashboard
  - Added additional fields to hide or show in the settings modal. (new feature)
- Requirement/Threat Importing
  - Added the ThreatID and RequirementID to the Threats/Requirements Import Review screen. (new feature)
- Patch Importing
  - Replaced “SBOM Component BOM-Ref” with “SBOM Component ID” on the Patch import template. (new feature)
- Exporting
  - Renamed “Description” column header in Product export Threats tab to “STRIDE Category”. (new feature)
- Vulnerability Page
  - Updated the “Date Identified” field restrict to current or past dates only. (new feature)
- Vulnerability Management Page
  - Updated the Vulnerability “Ratings” on the Vulnerability Management dashboard. (new feature)

Product Security Hub 20240627.1 (June 27, 2024) Click to expand / collapse

ProdSecDesigner
- Residual Risks Page
  - Updated fields that are displayed by default and fields that can be hidden on the Risks page. (new feature)
- Exporting
  - Added pre-defined glossary tabs for Threats, Requirements, and Risks within Product exports. (new feature)
  - Replaced the comma delimiters with semi-colon delimiter in the exports of requirement text in the Risks tab (SecurityRequirement) due to the use of commas within the requirements. (new feature)
- Threats Page
  - Implemented a bug fix so that the hover-over display of requirements within the UI function properly after a threat is set to N/A, then set back to Applicable. (bug fix)
- Adding a New Product
  - Implemented a bug fix so that when a user adds a New Product, the Add New Product screen disappears after clicking the Add button. (bug fix)
- Data Update
  - Updated the Product Security Hub data according to the June Product Security Hub Data Load, which adds a new “AI Model” component, threats, and requirements, along with several additional minor modifications to mappings of existing requirements to existing threats. (new feature)

Product Security Hub 20240624.1 (June 24, 2024) Click to expand / collapse

ProdSecDesigner
- Product Dashboard
  - Added product consolidation via “carrots” and new requirements status fields to product dashboard that can be enabled in the Settings Modal: # of Req, # of Req WIP, # of Req Met, # of Req Not Met, # of Req N/A. (new feature)
- Residual Risks Export Bug
  - Implemented a bug fix for product export Risks tab where both requirements not met, met, WIP, N/A were sometimes mixed together in the SecurityRequirements column. (bug fix)
- Requirements Sorting Bug
  - Implemented a bug fix to sort the requirements screen by the Component ID (tenant’s unique ID) instead of the component name. (bug fix)
- SBOM Component Inventory Page
  - Added the ability to sort on the SBOM component dashboard for the known vulns and CRA ID columns on the SBOM component dashboard. (new feature)
- Vulnerabilities Management Page
  - Added “one sentence summary” existing open text field from the Vulnerability Details to the Vulnerability Management dashboard, after the VM ID and before the Status field. (new feature)

Product Security Hub 20240611.1 (June 11, 2024) Click to expand / collapse

ProdSecDesigner
- Global Change
  - The character limit on open text fields has been increased from 1000 to 2000 characters to support additional text content. (new feature)
- SBOM Component Inventory
  - The “software level of support” field used within SBOM Components has beenupdated from mandatory to optional, as this field is not mandatory per the CycloneDX specification, and as mandatory it requires the user to add this information when modifying any component if the information is missing. (new feature)
- Requirement/Threat Importing Bug
  - Implemented a bug fix to resolve an issue identified when a user adds a new custom requirement to an existing Product Security Hub threat via the import functionality and then proceeds to delete the requirement, which causes the requirements page to display an error because PSH attempts to also delete the associated threat. This fix updates the requirement deletion logic to remove the automatic deletion of an associated threat. (bug fix)

Product Security Hub 20240530.1 (May 30, 2024) Click to expand / collapse

ProdSecDesigner
- Security Patch
  - Updated the Microsoft.Identity.Web package – this change was necessary to resolve a known vulnerability in the 3rd party component and update to the latest version. (security patch)
- Global Change
  - Added a “changes have been saved successfully” message pop up in the lower right corner of Product Security Hub when Product Security Hub automatically saves any edits made. (new feature)
- Residual Risk Page
  - Added more detail to the hover-over help messages for the CVSS fields in the Risks page. (new feature)

Product Security Hub 20240515.1 (May 15, 2024) Click to expand / collapse

ProdSecDesigner
- Vulnerability Management
  - Added Vulnerability Management feature, with the ability to track vulnerabilities by either manually adding them or importing from a Microsoft Excel file. The vulnerabilities can also be associated with SBOM Components, Residual Risks or Patches, for full end-to-end traceability. (new feature)
- Data Update
  - Released a new version of the component, threat, and requirements data. Most changes were semantic changes (e.g. look and feel) and a new component was added (data flow to external entity). Existing products will primarily notice these semantic changes on the requirements page (new feature).
  - Example: “Anonymous and/or guest access to the component shall be prohibited (removed or disabled)” was updated to “Anonymous and/or guest access shall be prohibited (removed or disabled)”
  - Example: “The component shall automatically log out an authenticated user after a period of inactivity” was updated to “Authenticated users shall be automatically logged out after a period of inactivity”
- Global Change
  - Implemented a UI modification to maintain the header on the threats, requirements, and residual risks pages (new feature).
  - Removed the “Changes have been made successfully” banner that appeared each time a field was edited (new feature).
- Residual Risk Creation Logic
  - Previously, residual risks were generated each time a requirement was labeled as “Not Met,” resulting in a significant number of residual risks tied to requirements, even if they were recommendations rather than mandatory. The new approach associates residual risks with threats rather than requirements when a requirement is marked as “Not Met.” This allows for consolidating multiple “Not Met” requirements into a single risk associated with a single threat. Existing products will notice consolidated risks on the residual risks page, including new risk id numbers. The previous risk id numbers will appear in the Residual Risk column (new feature).
- Requirements Page Consolidation View
  - Introduced the capability to consolidate requirements around the requirement itself rather than the component, facilitating a more efficient review of requirements and creating a more concise list to work with. This also provides the ability to update requirements that impact multiple components quickly but switching to the consolidated view and editing the requirements (new feature).
- Import Capabilities
  - Added the functionality to import new/custom requirements, threats, or residual risks, as well as existing ones that may have been edited offline in Microsoft Excel. Users can download a blank or pre-filled template, make edits, and then import it into ProdSecDesigner (new feature).
- Additional Addendums
  - Expanded the editable fields (addendums) on the requirements and threats pages (new feature).
- Dashboard Updates
  - Included additional existing fields in the patch management, vulnerability management, and SBOM dashboards (new feature).
- SBOM Importing/Exporting of Vulnerability Data
  - Enhanced the SBOM Management page to allow importing and exporting vulnerability data within the CyloneDX JSON file format (new feature).
- KEV Checking
  - Added the functionality to verify vulnerabilities with CVEs in ProdSecDesigner against the DHS CISA KEV database (new feature).

Product Security Hub 20240208.1 (February 8, 2024) Click to expand / collapse

ProdSecDesigner
- Added Vulnerability Management feature, with the ability to track vulnerabilities by either manually adding them or importing from a Microsoft Excel file. The vulnerabilities can also be associated with SBOM Components, Residual Risks or Patches, for full end-to-end traceability. (new feature)

Product Security Hub 20240125.1 (January 25, 2024) Click to expand / collapse

ProdSecDesigner
- Update the Threats and Requirements pages to show the component name and not component type (bug fix)
- Changed ISO 80001-22 to ISO 80001-2-2 on the Requirements Page (bug fix)
- Update the Threats Page to include the ability to show residual risks and met and not met requirements (new feature)
- “Reference to Safety Risk Assessment” field added to Residual Risks page (new feature)
- Updated new version feature to include the Completed IFU Guidance field in the new version (bug fix)
- Fixed an issue with using a product name that was already used (bug fix)
- Update the export feature to include custom threat and requirement details and include R in front of the requirement ids (bug fix)
- Added Software Bill of Materials (SBOM) feature, with the ability to manually add SBOM components, import from a CycloneDX JSON file, export to a CycloneDX JSON file or a Microsoft Excel human readable file (new feature)
- Added Patch Management feature, with the ability to track cybersecurity patches by either manually adding them or importing from a Microsoft Excel file (new feature)
ProdSecAssessor
- Initial release of ProdSecAssessor, which provides the ability to assess against a number of industry guidance documents from US FDA, Australian TGA, EU MDCG and more (new feature)

Product Security Hub 20231005.1 (October 5, 2023) Click to expand / collapse

ProdSecDesigner
- Changed dashboard view to group products by product name (new feature)
- Added ability to create new versions of existing products (new feature)
- Updated the export file to include product name and added applicability to threat output (new feature)
- Added a new field (consideration for ifu/labeling) on the risk assessment page (new feature)
- Added a new field (product status) to the product details page (new feature)
- Updated component ids in the add a new threat and add a new requirement modal (new feature)
ProdSecMaturity
- Removed the draft guidance, US FDA Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions maturity assessment
- Added the final guidance, US FDA Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions maturity assessment (new feature)

Product Security Hub 20230808.1 (August 8, 2023) Click to expand / collapse

Product Security Hub Platform
- Initial release of Product Security Hub Platform, ProdSecDesigner and ProdSecMaturity.