diff --git a/docs/core/tools/dotnet-restore.md b/docs/core/tools/dotnet-restore.md
index 2071590e11197..516b3904795d9 100644
--- a/docs/core/tools/dotnet-restore.md
+++ b/docs/core/tools/dotnet-restore.md
@@ -199,7 +199,7 @@ Starting in .NET 8, `dotnet restore` includes NuGet security auditing. This audi
 
 To opt out of the security auditing, set the `<NuGetAudit>` MSBuild property to `false` in your project file.
 
-To retrieve the known vulnerability dataset, ensure that you have the NuGet.org central registry defined as one of your package sources:
+To retrieve the known vulnerability dataset from the NuGet.org central registry, define the following in the *nuget.config* file:
 
 ```xml
 <packageSources>
@@ -207,6 +207,8 @@ To retrieve the known vulnerability dataset, ensure that you have the NuGet.org
 </packageSources>
 ```
 
+NuGet.org is the only package source that provides a vulnerability dataset for NuGet auditing. However, NuGet audits any source as long as the source provides the [`VulnerabilityInfo` resource](/nuget/api/vulnerability-info).
+
 You can configure the level at which auditing will fail by setting the `<NuGetAuditLevel>` MSBuild property. Possible values are `low`, `moderate`, `high`, and `critical`. For example if you only want to see moderate, high, and critical advisories, you can set the property to `moderate`.
 
 In .NET 8 and .NET 9, only *direct* package references are audited by default. Starting in .NET 10, NuGet audits both *direct* and *transitive* package references by default. You can change the mode by setting the `<NuGetAuditMode>` MSBuild property to `direct` or `all`.