dotnet · meaghanlewis · Dec 2, 2025 · Dec 2, 2025 · Dec 3, 2025
@@ -199,14 +199,16 @@ Starting in .NET 8, `dotnet restore` includes NuGet security auditing. This audi
 
 To opt out of the security auditing, set the `<NuGetAudit>` MSBuild property to `false` in your project file.
 
-To retrieve the known vulnerability dataset, ensure that you have the NuGet.org central registry defined as one of your package sources:
+To retrieve the known vulnerability dataset from the NuGet.org central registry, define the following in the *nuget.config* file:
 
 ```xml
 <packageSources>
     <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
 </packageSources>
 ```
 
+NuGet.org is the only package source that provides a vulnerability dataset for NuGet to run auditing with, however, NuGet audits any source as long as the source provides the [`VulnerabilityInfo` resource](/nuget/api/vulnerability-info).
+
 You can configure the level at which auditing will fail by setting the `<NuGetAuditLevel>` MSBuild property. Possible values are `low`, `moderate`, `high`, and `critical`. For example if you only want to see moderate, high, and critical advisories, you can set the property to `moderate`.
 
 In .NET 8 and .NET 9, only *direct* package references are audited by default. Starting in .NET 10, NuGet audits both *direct* and *transitive* package references by default. You can change the mode by setting the `<NuGetAuditMode>` MSBuild property to `direct` or `all`.