Recommend against 3rd party servers using nuget.org resources directly (#3438)

Author: zivkan

docs/api/implementation-guide.md

@@ -106,9 +106,15 @@ Nuget.org provides vulnerability data for all GitHub reviewed advisories from th
 
 If your package repository is hosting first-party packages, and you would like to provide vulnerability information to customers using your own feed, but don't yet have any disclosed package vulnerabilities, you should provide a [vulnerability index](./vulnerability-info.md#vulnerability-index) with one or more [vulnerability pages](./vulnerability-info.md#vulnerability-page) whose contents are an empty JSON array (`[]`).
 
-If your package repository is intended to be used by apps as the default repository (instead of nuget.org), you can use nuget.org's vulnerability data.
-One option is to use nuget.org's vulnerability index URL in your service index.
-Another option is to periodically check nuget.org's `VulnerabilityInfo` index, and download any changed pages to mirror locally.
+#### Reusing nuget.org's vulnerability data
+
+NuGet does not require that resources in the [service index](./service-index.md), or [the vulnerability index](./vulnerability-info.md#vulnerability-index), must be on the same server as the service index itself.
+However, there are several reasons why some companies choose to block nuget.org at the firewall, or have on-prem feeds on a disconnected network.
+To avoid connectivity issues, we recommend serving vulnerability data from your own web app, so that NuGet clients only make HTTP connections to the host the feed is installed on.
+
+✔️ DO cache or proxy the vulnerability pages in your own web app
+
+❌ DO NOT advertise api.nuget.org in your service index or vulnerability index without a configuration to turn this off.
 
 ## `packageTypes` search query
 

docs/api/service-index.md

@@ -65,6 +65,10 @@ There is no requirement that each resource has a unique `@id` or `@type`. It is
 determine which resource to prefer over another. One possible implementation is that resources of the same or
 compatible `@type` can be used in a round-robin fashion in case of connection failure or server error.
 
+A resource can use a different host or domain than the service index, but this may cause issues in environments with strict network rules.
+In particular, if your service index adds resources that point directly to nuget.org (rather than proxying or caching through your own feed), your feed will not work where access to nuget.org is blocked.
+If your feed is going to delegate particular resources to nuget.org, we recommend adding a configuration so that when your feed is deployed, the direct nuget.org reference can be removed from the service index.
+
 ### Sample request
 
 ```

docs/api/vulnerability-info.md

@@ -33,6 +33,9 @@ The data file schema does not allow for modification or redaction of known vulne
 Therefore if a server's vulnerability data source (for example the [GitHub Advisories Database](https://github.com/advisories)) modifies an existing advisory, the NuGet server must modify the page that the vulnerability information was previously reported.
 One way to achieve this with the suggested partition scheme is to treat all vulnerability modifications and deletions as a trigger to regenerate the complete `base.json` file, and empty `updates.json`.
 
+If you intend to use nuget.org's vulnerability data in your own NuGet server implementation, you should take into consideration developers who do not have direct access to nuget.org.
+[See our implementation guide for more details](./implementation-guide.md#reusing-nugetorgs-vulnerability-data).
+
 ## Versioning
 
 The following `@type` values are used:

docs/hosting-packages/Overview.md

@@ -33,7 +33,7 @@ There are also several other NuGet hosting products such as [Azure Artifacts](ht
 - [JetBrains Space](https://www.jetbrains.com/help/space/nuget-feed.html)
 - [LiGet](https://github.com/ai-traders/liget), an open-source implementation of NuGet V2 server that runs on kestrel in docker
 - [MyGet](https://myget.org)
-- [Nexus Repository OSS](https://www.sonatype.com/nexus-repository-oss) from Sonatype.
+- [Nexus Repository OSS](https://www.sonatype.com/products/sonatype-nexus-oss-download) from Sonatype.
 - [NuGet Server (Open Source)](https://github.com/svenkle/nuget-server), an open-source implementation similar to Inedo's NuGet Server
 - [NuGet Server](http://nugetserver.net/), a community project from Inedo
 - [ProGet](https://inedo.com/proget) from Inedo
@@ -42,3 +42,7 @@ There are also several other NuGet hosting products such as [Azure Artifacts](ht
 - [RepoFlow](https://www.repoflow.io), a simple and easy-to-use package management platform.
 
 Regardless of how packages are hosted, you access them by adding them to the list of available sources in `NuGet.Config`. This can be done in Visual Studio as described in [Package Sources](../consume-packages/install-use-packages-visual-studio.md#package-sources), or from the command line using [`nuget sources`](../reference/cli-reference/cli-ref-sources.md). The path to a source can be a local folder pathname, a network name, or a URL.
+
+[NuGet's V3 protocol](../api/overview.md) uses a [service index](../api//service-index.md) that contains a list of URLs used by various NuGet operations.
+All of the URLs in the service index must be accessible by developer and CI machines to avoid unexpected errors.
+When installing any NuGet feed, it is important to validate that none of the service index resources are blocked by a company firewall, or if your network is disconnected from the Internet, that all service index resources are available on your private network.