What is OSV (Open Source Vulnerabilities)?
Last reviewed June 2, 2026
OSV (Open Source Vulnerabilities) is an open, distributed vulnerability database and data format for open-source software, started by Google and hosted at osv.dev. It defines the OSV schema, a precise, machine-readable format that records exactly which package versions a vulnerability affects. OSV aggregates many community databases - such as GHSA, PyPA, and RustSec - into one queryable place, with a stronger focus on automated package matching than the NVD.
OSV in one sentence
OSV stands for Open Source Vulnerabilities. It is an open project, originally started by Google, that consists of two parts: a machine-readable data format (the OSV schema) and a free aggregated database and API hosted at osv.dev.
The goal of OSV is to make vulnerability data for open-source software precise and automatable, so that tools can reliably answer the question, is this exact package version affected, without manual interpretation.
The OSV schema
The OSV schema is the heart of the project. It is a JSON format that describes a vulnerability with explicit, ecosystem-aware data rather than free text.
- Affected packages are named by ecosystem (for example npm, PyPI, crates.io, Go) plus the package name.
- Affected versions are expressed as ranges with introduced and fixed points, so tools can compute precisely whether a given version is vulnerable.
- Each record carries a stable ID, aliases (such as the related CVE), references, and severity data.
- Because the format is standardized, any database that adopts it can be consumed by the same set of tools.
How OSV aggregates sources
OSV is described as distributed because it does not try to be the single authority for every vulnerability. Instead, individual ecosystem databases export their data in the OSV schema, and osv.dev aggregates those feeds into one searchable index.
Contributing sources include the GitHub Advisory Database (GHSA), the Python Packaging Advisory Database (PyPA), the RustSec advisory database for Rust crates, and many language- and ecosystem-specific databases. The aliases field ties these together and links them back to CVE IDs.
How OSV differs from the NVD
OSV and the NVD overlap but were built for different jobs. The NVD is a broad, CVE-centric database covering software, firmware, and hardware, and it leans on CPE identifiers and human-written configuration data.
OSV is narrower and deeper: it focuses on open-source packages and encodes affected versions in a way that maps directly onto package managers, which makes automated matching more reliable for dependencies. For an application built largely from open-source libraries, OSV often gives cleaner, lower-noise results than CPE-based matching.
| Aspect | OSV | NVD |
|---|---|---|
| Primary scope | Open-source packages | Software, firmware, and hardware |
| Identity model | Ecosystem plus package name and version ranges | CPE product identifiers |
| Structure | Distributed, aggregates many source databases | Centralized, CVE-based catalog |
| Best suited to | Dependency and SBOM matching | Broad CVE enrichment and lookup |
Keep exploring
- What is GHSA?A major source database that OSV aggregates.
- What is the NVD?The CVE-centric database OSV is often contrasted with.
- What is a CVE?The global identifier OSV records link to via aliases.
- What is an SBOM?Inventories that OSV is well suited to scan for vulnerabilities.
- What is a CPE?The NVD identity model that OSV package matching replaces.
- What is vulnerability management?The workflow OSV data feeds into.
Frequently asked questions
- What does OSV stand for?
- OSV stands for Open Source Vulnerabilities. It refers both to the OSV schema, a data format, and to the aggregated database and API hosted at osv.dev.
- Who created OSV?
- OSV was started by Google to improve the precision and automation of open-source vulnerability data. It is now an open project with many contributing databases.
- How is OSV different from the NVD?
- The NVD is a broad, CVE-centric, CPE-based database. OSV focuses on open-source packages and encodes affected versions in a way that maps directly onto package managers, which makes automated dependency matching more reliable.
- Does OSV replace CVE IDs?
- No. OSV records reference CVE IDs through their aliases field. OSV adds precise package and version data on top of the existing CVE identifiers rather than replacing them.
