diff --git a/lib/advisory.js b/lib/advisory.js
index 4ce00bf..a75c097 100644
--- a/lib/advisory.js
+++ b/lib/advisory.js
@@ -38,8 +38,12 @@ class Advisory {
     this.severity = source.severity
     this.versions = []
     this.vulnerableVersions = []
+
     // advisories have the range, metavulns do not
-    this.range = source.vulnerable_versions || null
+    // if an advisory doesn't specify range, assume all are vulnerable
+    this.range = this.type === 'advisory' ? source.vulnerable_versions || '*'
+      : null
+
     this.id = hash(this)
 
     this[_packument] = null
diff --git a/test/advisory.js b/test/advisory.js
index 2014d68..3365f55 100644
--- a/test/advisory.js
+++ b/test/advisory.js
@@ -322,3 +322,20 @@ t.test('a package with only prerelease versions', t => {
   t.end()
 })
 
+t.test('default to * when no vulnerable_versions specified', t => {
+  const name = 'no-vulnerable-versions-specified'
+  const v = new Advisory(name, advisories[name])
+  t.same(v, {
+    source: 123456789,
+    name: 'no-vulnerable-versions-specified',
+    dependency: 'no-vulnerable-versions-specified',
+    title: 'No versions, so all are vulnerabje',
+    url: 'https://npmjs.com/advisories/123456789',
+    severity: 'low',
+    versions: [],
+    vulnerableVersions: [],
+    range: '*',
+    id: 'scjW9DzqGzCfXM/NEoe9MtD/27lWe9N5ezyJTS2HbpWLiB4FNH5GNenSysezlswMnQwIUtWkVPbWUqRJtUfUJA==',
+  }, 'default to all versions being considered vulnerable')
+  t.end()
+})
diff --git a/test/fixtures/advisories/no-vulnerable-versions-specified.json b/test/fixtures/advisories/no-vulnerable-versions-specified.json
new file mode 100644
index 0000000..bf7afd5
--- /dev/null
+++ b/test/fixtures/advisories/no-vulnerable-versions-specified.json
@@ -0,0 +1,6 @@
+{
+  "id": 123456789,
+  "url": "https://npmjs.com/advisories/123456789",
+  "title": "No versions, so all are vulnerabje",
+  "severity": "low"
+}