Add info about data.nuget.org

Author: zivkan

docs/api/implementation-guide.md

@@ -112,6 +112,10 @@ NuGet does not require that resources in the [service index](./service-index.md)
 However, there are several reasons why some companies choose to block nuget.org at the firewall, or have on-prem feeds on a disconnected network.
 To avoid connectivity issues, we recommend serving vulnerability data from your own web app, so that NuGet clients only make HTTP connections to the host the feed is installed on.
 
+As an alternative to caching or proxying, users can ask their network administrator to allow access to `https://data.nuget.org/v3/index.json` and configure it as an [audit source](../concepts/Auditing-Packages.md#audit-sources).
+This endpoint only serves vulnerability data, not packages, so it might be allowed even when `api.nuget.org` is blocked.
+When users configure `data.nuget.org` as an audit source, your feed may not need to implement the `VulnerabilityInfo` resource.
+
 ✔️ DO cache or proxy the vulnerability pages in your own web app
 
 ❌ DO NOT advertise api.nuget.org in your service index or vulnerability index without a configuration to turn this off.

docs/concepts/Auditing-Packages.md

@@ -62,11 +62,19 @@ Since a common mitigation for package substitution attacks is [to use a single p
 The data source for nuget.org's vulnerability database is [GitHub Advisory Database](https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget).
 Note that the [V2 protocol is deprecated](../nuget-org/overview-nuget-org.md#api-endpoint-for-nugetorg), so if your nuget.config is still using the V2 endpoint, you must migrate to the V3 endpoint.
 
+nuget.org provides two service index endpoints that can be used as an audit source:
+
+- `https://api.nuget.org/v3/index.json` — The full nuget.org service index, which includes all NuGet resources (package download, search, vulnerability data, and more).
+- `https://data.nuget.org/v3/index.json` — A vulnerability-data-only service index that doesn't include package content or other resources.
+
+The `data.nuget.org` endpoint is useful for organizations that block access to `api.nuget.org` at the network level.
+Because this endpoint only serves vulnerability data and not packages, network administrators who block `api.nuget.org` to prevent package downloads might be willing to allow `data.nuget.org` if asked.
+
 ```xml
 <configuration>
     <auditSources>
         <clear />
-        <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
+        <add key="nuget.org" value="https://data.nuget.org/v3/index.json" />
     </auditSources>
 </configuration>
 ```

docs/concepts/Security-Best-Practices.md

@@ -175,6 +175,10 @@ For example:
 </configuration>
 ```
 
+> [!TIP]
+> If your organization blocks access to `api.nuget.org`, consider asking the network administrator to allow `https://data.nuget.org/v3/index.json` and configure it as an [audit source](Auditing-Packages.md#audit-sources) for [NuGet Audit](Auditing-Packages.md).
+> This endpoint only serves vulnerability data, not packages, so it might be allowed even when `api.nuget.org` is blocked.
+
 ### NuGet feeds
 
 **📦 Package Consumer**

docs/nuget-org/overview-nuget-org.md

@@ -50,3 +50,11 @@ To use NuGet.org as a package repository with NuGet clients, you should use the
 Older clients can still use the V2 protocol to reach NuGet.org. However, please note, NuGet clients 3.0 or later will have slower and less reliable service using the V2 protocol:
 
 `https://www.nuget.org/api/v2` (**The V2 protocol is deprecated!**)
+
+nuget.org also provides a vulnerability-data-only endpoint:
+
+`https://data.nuget.org/v3/index.json`
+
+This service index only contains the [`VulnerabilityInfo`](../api/vulnerability-info.md) resource and doesn't serve packages.
+It's designed for use as an [audit source](../concepts/Auditing-Packages.md#audit-sources) in environments where access to `api.nuget.org` is blocked at the network level.
+Because this endpoint doesn't provide package content, network administrators who block `api.nuget.org` to prevent package downloads might be willing to allow `data.nuget.org` if asked.

docs/reference/errors-and-warnings/NU1905.md

@@ -25,6 +25,9 @@ Any NuGet source implementing [NuGet's V3 server API can provide vulnerability d
 Any source defined in a NuGet.Config `<auditSources>` element is expected to provide this resource, and this warning is raised when it is not.
 You can check if your package source administrators have a setting to enable vulnerability data.
 
+If your audit source is nuget.org and access to `api.nuget.org` is blocked on your network, consider asking the network administrator to allow `https://data.nuget.org/v3/index.json` and use it as your audit source instead.
+This endpoint only serves vulnerability data, not packages, so it might be allowed even when `api.nuget.org` is blocked.
+
 If you would like to treat this warning as an error, to cause build failures when vulnerability checks could not be performed, you can add `<WarningAsError>$(WarningAsError);NU1905</WarningAsError>` to your project file.
 If you are using `TreatWarningsAsErrors` to cause all warnings to be treated as errors, you can add `<NoWarn>$(NoWarn);NU1905</NoWarn>` to your project file to suppress this warning message, or `<WarningsNotAsErrors>NU1905</WarningsNotAsErrors>` to prevent this warning from being treated as an error.
 

docs/reference/nuget-config-file.md

@@ -161,6 +161,11 @@ Audit sources support the same attributes as `packageSources` (`protocolVersion`
 </auditSources>
 ```
 
+> [!TIP]
+> nuget.org also provides `https://data.nuget.org/v3/index.json`, a service index that only contains vulnerability data and doesn't serve packages.
+> Network administrators who block `api.nuget.org` to prevent package downloads might be willing to allow `data.nuget.org` if asked.
+> For more information, see [audit sources](../concepts/Auditing-Packages.md#audit-sources).
+
 ### packageSourceCredentials
 
 Stores usernames and passwords for sources, typically specified with the `-username` and `-password` switches with `nuget sources`. Passwords are encrypted by default unless the `-storepasswordincleartext` option is also used.