> ## Documentation Index
> Fetch the complete documentation index at: https://docs.safedep.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Vulnerability

> What a vulnerability is in an open-source dependency, and how SafeDep surfaces and gates them.

A vulnerability is a disclosed security flaw in a package's code. The package is legitimate; the flaw is a mistake, not an attack. Unlike a [malicious package](/concepts/malicious-package), which is harmful by design, a vulnerable package became exploitable by accident.

Vulnerabilities are tracked under identifiers like CVEs and aggregated in open databases such as [OSV](https://osv.dev). Each carries a severity, for example `CRITICAL` or `HIGH`, that signals how urgent a fix is.

## How SafeDep surfaces them

[Vet](/governance/vet/overview) checks every dependency against OSV and reports known vulnerabilities with their severity. You decide what to do about them with [policy](/concepts/policy): for example, fail a build when any dependency has a `CRITICAL` or `HIGH` vulnerability.

## Related

<CardGroup cols={2}>
  <Card title="Malicious Package" icon="shield-virus" href="/concepts/malicious-package">
    The other kind of dependency risk: packages that are harmful by design.
  </Card>

  <Card title="Policy" icon="file-shield" href="/concepts/policy">
    Gate builds on vulnerability severity.
  </Card>

  <Card title="Repository Scanning" icon="magnifying-glass" href="/governance/vet/overview">
    Scan a repository's dependencies for known vulnerabilities.
  </Card>

  <Card title="SBOM" icon="list-check" href="/concepts/sbom">
    Inventory the components you ship.
  </Card>
</CardGroup>