The Snyk vulnerability database contains both malicious packages as well as known vulnerabilities.
Most of the vulnerabilities in our database originate from one of these sources:
- Monitoring other vulnerability databases, such as CVEs from NVD and many others.
- Monitoring user activity on GitHub, including issues, PRs and commit messages that may indicate a vulnerability.
- Bulk research, using tools that look for repeated security mistakes across open source package code
- Manual research, investing our researchers time to manually audit more widely used packages for security flaws.
If you are aware of a vulnerability that is missing from our database then report it to report@snyk.io., for more information about reporting vulnerabilities and the responsible disclosure process take a look at https://docs.snyk.io/more-info/disclosing-vulnerabilities.