Multiple broken URLs in CNAsList.json — May 2026 audit (17 CNAs, 23 URLs)

[kurtseifried]

Multiple broken URLs in CNAsList.json — May 2026 audit (17 CNAs, 23 URLs)

An audit of the 1,122 URLs in src/assets/data/CNAsList.json (across the disclosurePolicy[], securityAdvisories.advisories[], securityAdvisories.alerts[], contact[].contact[], and contact[].form[] fields) found 23 URLs across 17 CNAs that are confirmed broken as of 2026-05-08.

Methodology (so this is reproducible)

For each URL: HTTP GET via httpx (follow redirects, capture status + body sample); ambiguous results (403, network errors) re-tested via headless Chromium / Playwright with browser fingerprint + the user's installed Chrome channel; remaining ambiguities verified manually in a normal browser. Network-layer reachability (DNS resolution + TLS handshake on port 443) checked separately on the host without HTTP. The 23 below are the URLs that failed all of those checks, including a manual visit in a real browser.

The full audit (1,122 URLs, 502 CNAs, including the false-positive shake-out of bot-blocked-but-working URLs) is in CloudSecurityAlliance/SecID/working-data/cve-org-url-audit/ — scripts, raw CSVs, and screenshots.

Prior issues for the same dataset

The CVE Project has fixed similar broken-URL reports in the past, but the fixes degrade over time as vendor sites are reorganized:

• Broken links #283 "Broken links" (NCSC-FI) — closed 2021. NCSC-FI is back on this list with 3 newly-broken URLs (different paths than Broken links #283).
• Broken links on Partner Details page #898 "Broken links on Partner Details page" (krcert) — closed. krcert is on this list again with a different broken URL.
• 'openGauss Community' Partner Page: Policy link is broken #1495 "'openGauss Community' Partner Page: Policy link is broken" — closed 2022. openGauss is on this list again with the same kind of policy-link breakage.

Closing these as one-off fixes addresses the symptom; the URLs in CNAsList.json have no pre-merge validation and CNAs occasionally reorganize their security pages without notifying anyone. Three of the 17 CNAs below are repeat offenders.

The 17 CNAs and 23 broken URLs

Format: [failure_kind] field_path: URL

Failure kinds:

• hard_404 — server returned HTTP 404
• confirmed_dead_connect — DNS resolves but TCP/HTTPS connection fails (host genuinely unreachable from outside its network)
• confirmed_dead_ssl — TLS handshake fails (client-cert required, locked cipher, or misconfigured WAF)
• bot_blocked — server returns 403 to httpx, headless Chromium, and channel=chrome-launched Chrome with realistic fingerprint, but works in a manual-Chrome session

Black Lantern Security (BLSOPS, CNA-2023-0027)

• [hard_404] disclosurePolicy[0].url: https://www.blacklanternsecurity.com/cna.html

CTOne Inc. (CTOne, CNA-2025-0019)

• [confirmed_dead_ssl] disclosurePolicy[0].url: https://ctone.com//wp-content/uploads/2024/07/CTOne-Vulnerability-Disclosure-Policy.pdf
• [confirmed_dead_ssl] securityAdvisories.advisories[0].url: https://ctone.com/published-product-vulnerabilities/

Dragos, Inc. (Dragos, CNA-2022-0030)

• [hard_404] securityAdvisories.advisories[0].url: https://www.dragos.com/advisories/

Hitachi Energy (Hitachi_Energy, CNA-2021-0028)

• [hard_404] securityAdvisories.advisories[0].url: https://www.hitachienergy.com/cybersecurity/alerts-and-notifications

Indian Computer Emergency Response Team (CERT-In) (CERT-In, CNA-2021-0050)

• [confirmed_dead_connect] disclosurePolicy[0].url: https://www.cert-in.org.in/RVDCP.jsp
• [confirmed_dead_connect] securityAdvisories.advisories[0].url: https://www.cert-in.org.in/

(Note: CERT-In's host appears to be geo-restricted — it may resolve from inside India but times out from outside.)

KrCERT/CC (krcert, CNA-2016-0021) — prior issue: #898 (closed)

• [hard_404] disclosurePolicy[0].url: https://knvd.krcert.or.kr/processingProcedures.do

National Cyber Security Centre Finland (NCSC-FI) (NCSC-FI, CNA-2023-0033) — prior issue: #283 (closed)

• [hard_404] disclosurePolicy[0].url: https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/haavoittuvuudet-miten-niista-ilmoitetaan-oikein
• [hard_404] disclosurePolicy[1].url: https://www.kyberturvallisuuskeskus.fi/en/our-services/situation-awareness-and-network-management/vulnerability-coordination
• [hard_404] securityAdvisories.advisories[1].url: https://www.kyberturvallisuuskeskus.fi/en/haavoittuvuudet

OMRON Corporation (OMRON, CNA-2024-0070)

• [bot_blocked] contact[0].contact[0].url: https://www.omron.com/contact/ContactForm.do?FID=00282
• [bot_blocked] disclosurePolicy[0].url: https://www.omron.com/contact/ContactForm.do?FID=00282
• [bot_blocked] securityAdvisories.advisories[0].url: https://www.omron.com/global/en/inquiry/vulnerability_information/

(OMRON's WAF blocks all automated traffic. Real-browser verification: the URLs return error pages, not the intended forms — this was confirmed in a manual visit. Either the WAF is misconfigured or the form pages have been retired.)

Omnissa, LLC (Omnissa, CNA-2024-0078)

• [hard_404] disclosurePolicy[0].url: https://static.omnissa.com/uploads/omnissa-external-vulnerability-response-and-remediation-policy.pdf

Palo Alto Networks, Inc. (palo_alto, CNA-2018-0005)

• [confirmed_dead_connect] securityAdvisories.advisories[0].url: https://securityadvisories.paloaltonetworks.com/

(Hostname has been retired — Palo Alto moved their security advisories to a different domain.)

Patchstack (Patchstack, CNA-2021-0025)

• [hard_404] disclosurePolicy[0].url: https://patchstack.com/patchstack-vulnerability-disclosure-policy/

STAR Labs SG Pte. Ltd. (STAR_Labs, CNA-2023-0010)

• [hard_404] disclosurePolicy[0].url: https://starlabs.sg/advisories/STAR%20Labs%20SG%20Pte.%20Ltd.%20Vulnerability%20Disclosure%20Policy.pdf

Silicon Labs (Silabs, CNA-2021-0056)

• [hard_404] securityAdvisories.advisories[0].url: https://siliconlabs.force.com/s/alert/Alert__c/00B1M000009sQ4R

Switzerland National Cyber Security Centre (NCSC) (NCSC.ch, CNA-2021-0040)

• [hard_404] securityAdvisories.advisories[0].url: https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden/advisories.html

Temporal Technologies Inc. (Temporal, CNA-2023-0030)

• [hard_404] disclosurePolicy[0].url: https://docs.temporal.io/temporal-technologies-inc-security
• [hard_404] securityAdvisories.advisories[0].url: https://docs.temporal.io/temporal-technologies-inc-security

Trellix (Trellix, CNA-2016-0022)

• [confirmed_dead_connect] disclosurePolicy[0].url: https://kcm.trellix.com/corporate/index?page=content&id=KB95564
• [confirmed_dead_connect] securityAdvisories.advisories[0].url: https://supportm.trellix.com/webcenter/portal/supportportal/pages_knowledgecenter

(Hostnames are retired post-FireEye/McAfee → Trellix rebrand.)

openGauss Community (openGauss, CNA-2022-0019) — prior issue: #1495 (closed)

• [hard_404] disclosurePolicy[0].url: https://opengauss.org/zh/security.html

Bonus: malformed URL (separate from the 23 above)

HDFG (HDF Group, CNA-2022-0058) has a leading space in disclosurePolicy[0].url:

"url": " https://github.com/HDFGroup/hdf5/security/policy"

The URL itself is fine — the path resolves correctly once the leading space is stripped — but httpx, strict URL parsers, and any code that treats the field as-is will fail with unsupported_protocol. Worth a one-character fix.

Suggested next step

Reach out to each affected CNA's security contact to provide an updated URL, then update CNAsList.json. If a CNA can't provide a working URL, removing the broken entry is preferable to leaving a 404 — the CVE Record reader will at least see no URL rather than a dead one.

For the longer-term gap, a periodic CI check that issues a HEAD/GET against every URL in CNAsList.json on a cadence (weekly, monthly) and opens an issue when one fails would prevent these from accumulating. Happy to share the audit script if useful.

[kurtseifried]

Companion audit just filed: #3938 — broken email addresses in CNAsList.json (4 CNAs, real-mail bounce evidence). Same dataset, same root-cause pattern (post-M&A / post-rebrand staleness in contact info), different field (contact[].email[].emailAddr rather than the URL fields covered here).

[kurtseifried]

Additional 7 CNAs found via manual screenshot verification

Cross-referencing the audit data with manual visual verification surfaced 7 more CNAs with broken URLs that didn't make the original list above (mostly because of URL-string mismatches between the audit set and the manual verification set — e.g., censys.io vs censys.com, or sibling URLs on the same host having different fates).

CNA	shortName	cnaID	Field	Broken URL	What the user sees
Censys	Censys	CNA-2021-0035	disclosurePolicy[0].url	https://censys.io/vulnerability-disclosure	Redirects to censys.com/vulnerability-disclosure → HTTP 404 ("The page you're looking for doesn't exist or may have been moved") — Censys rebranded from .io to .com and the policy page didn't survive the migration
Grafana Labs	GRAFANA	CNA-2022-0048	disclosurePolicy[0].url	https://grafana.com/security.txt	HTTP 404 ("This page could not be found") — no security.txt at the well-known or root path on grafana.com
Honeywell International Inc.	Honeywell	CNA-2022-0046	securityAdvisories.advisories[0].url	https://sps.honeywell.com/us/en/support/productivity/cyber-security-notifications	HTTP 504 Gateway Time-out (persistent — not transient; manually verified) — different failure mode from a 404 but functionally broken
Integrated Control Technology LTD	ICT	CNA-2023-0056	disclosurePolicy[0].url and securityAdvisories.advisories[0].url	https://ict.co/help-support/responsible-disclosure-policy/ https://ict.co/help-support/security-advisories/	Both URLs return "Page Not Found | ICT" — site reorganization, both paths gone
Larry Cashdollar	larry_cashdollar	CNA-2016-0007	disclosurePolicy[0].url	http://www.vapidlabs.com/misc/policy.html	Apache "Not Found / The requested URL was not found on this server" — also note this URL is http:// not https://
Israel National Cyber Directorate	INCD	CNA-2021-0030	securityAdvisories.advisories[0].url	https://www.gov.il/en/departments/faq/cve_advisories	Hebrew 404 page ("Sorry, the page you searched for was not found") after passing the Cloudflare bot challenge. The sister disclosurePolicy[0].url (https://www.gov.il/en/departments/general/cve_policy) does work once a human gets past the challenge — only the advisories URL is dead. Worth knowing because both URLs share the host, both bot-block automation, but only one is genuinely broken.
Zigor / ZGR	ZGR	CNA-2021-0058	securityAdvisories.advisories[0].url	https://www.zigor.com/list-of-vulnerabilities/	Spanish 404 ("PÁGINA NO ENCONTRADA / Lo sentimos. La página que busca no existe.") — site has been reorganized; the sister disclosurePolicy URL still works

This brings the total for this audit to 24 CNAs with confirmed-broken URLs in CNAsList.json (17 originally + 7 here). Companion email-validation issue is #3938.

The visual evidence (screenshots) is in working-data/cve-org-url-audit/screenshots/ and the underlying data is in broken-by-cna.csv and final-report.csv.

[kurtseifried]

Additional 7 CNAs found via manual screenshot verification

Cross-referencing the audit data with manual visual verification surfaced 7 more CNAs with broken URLs that didn't make the original list above (mostly because of URL-string mismatches between the audit set and the manual verification set — e.g., censys.io vs censys.com, or sibling URLs on the same host having different fates).

CNA	shortName	cnaID	Field	Broken URL	What the user sees
Censys	Censys	CNA-2021-0035	disclosurePolicy[0].url	https://censys.io/vulnerability-disclosure	Redirects to censys.com/vulnerability-disclosure → HTTP 404 ("The page you're looking for doesn't exist or may have been moved") — Censys rebranded from .io to .com and the policy page didn't survive the migration
Grafana Labs	GRAFANA	CNA-2022-0048	disclosurePolicy[0].url	https://grafana.com/security.txt	HTTP 404 ("This page could not be found") — no security.txt at the well-known or root path on grafana.com
Honeywell International Inc.	Honeywell	CNA-2022-0046	securityAdvisories.advisories[0].url	https://sps.honeywell.com/us/en/support/productivity/cyber-security-notifications	HTTP 504 Gateway Time-out (persistent — not transient; manually verified) — different failure mode from a 404 but functionally broken
Integrated Control Technology LTD	ICT	CNA-2023-0056	disclosurePolicy[0].url and securityAdvisories.advisories[0].url	https://ict.co/help-support/responsible-disclosure-policy/ https://ict.co/help-support/security-advisories/	Both URLs return "Page Not Found | ICT" — site reorganization, both paths gone
Larry Cashdollar	larry_cashdollar	CNA-2016-0007	disclosurePolicy[0].url	http://www.vapidlabs.com/misc/policy.html	Apache "Not Found / The requested URL was not found on this server" — also note this URL is http:// not https://
Israel National Cyber Directorate	INCD	CNA-2021-0030	securityAdvisories.advisories[0].url	https://www.gov.il/en/departments/faq/cve_advisories	Hebrew 404 page ("Sorry, the page you searched for was not found") after passing the Cloudflare bot challenge. The sister disclosurePolicy[0].url (https://www.gov.il/en/departments/general/cve_policy) does work once a human gets past the challenge — only the advisories URL is dead. Worth knowing because both URLs share the host, both bot-block automation, but only one is genuinely broken.
Zigor / ZGR	ZGR	CNA-2021-0058	securityAdvisories.advisories[0].url	https://www.zigor.com/list-of-vulnerabilities/	Spanish 404 ("PÁGINA NO ENCONTRADA / Lo sentimos. La página que busca no existe.") — site has been reorganized; the sister disclosurePolicy URL still works

This brings the total for this audit to 24 CNAs with confirmed-broken URLs in CNAsList.json (17 originally + 7 here). Companion email-validation issue is #3938.

The visual evidence (screenshots) is in working-data/cve-org-url-audit/screenshots/ and the underlying data is in broken-by-cna.csv and final-report.csv.