diff --git a/lib/advisory.js b/lib/advisory.js
index 4ce00bf..d0900e3 100644
--- a/lib/advisory.js
+++ b/lib/advisory.js
@@ -35,11 +35,15 @@ class Advisory {
       this.url = null
     }
 
-    this.severity = source.severity
+    this.severity = source.severity || 'high'
     this.versions = []
     this.vulnerableVersions = []
+
     // advisories have the range, metavulns do not
-    this.range = source.vulnerable_versions || null
+    // if an advisory doesn't specify range, assume all are vulnerable
+    this.range = this.type === 'advisory' ? source.vulnerable_versions || '*'
+      : null
+
     this.id = hash(this)
 
     this[_packument] = null
diff --git a/test/advisory.js b/test/advisory.js
index 2014d68..16a1ead 100644
--- a/test/advisory.js
+++ b/test/advisory.js
@@ -322,3 +322,38 @@ t.test('a package with only prerelease versions', t => {
   t.end()
 })
 
+t.test('default to * when no vulnerable_versions specified', t => {
+  const name = 'no-vulnerable-versions-specified'
+  const v = new Advisory(name, advisories[name])
+  t.same(v, {
+    source: 123456789,
+    name: 'no-vulnerable-versions-specified',
+    dependency: 'no-vulnerable-versions-specified',
+    title: 'No versions, so all are vulnerable',
+    url: 'https://npmjs.com/advisories/123456789',
+    severity: 'low',
+    versions: [],
+    vulnerableVersions: [],
+    range: '*',
+    id: 'scjW9DzqGzCfXM/NEoe9MtD/27lWe9N5ezyJTS2HbpWLiB4FNH5GNenSysezlswMnQwIUtWkVPbWUqRJtUfUJA==',
+  }, 'default to all versions being considered vulnerable')
+  t.end()
+})
+
+t.test('default to "high" when no severity specified', t => {
+  const name = 'no-severity-specified'
+  const v = new Advisory(name, advisories[name])
+  t.same(v, {
+    source: 123456789,
+    name: 'no-severity-specified',
+    dependency: 'no-severity-specified',
+    title: 'No severity, so high severity',
+    url: 'https://npmjs.com/advisories/123456789',
+    severity: 'high',
+    versions: [],
+    vulnerableVersions: [],
+    range: '1.x',
+    id: 'ajZ5Jt7T99fpH0t8LgyBbDVivYlv/1OGrs/o+D8KmLDl+LKTjObUEt19cAZGaWdqiemuQOnvdZD577nKU+giIQ==',
+  }, 'default to all versions being considered vulnerable')
+  t.end()
+})
diff --git a/test/fixtures/advisories/no-severity-specified.json b/test/fixtures/advisories/no-severity-specified.json
new file mode 100644
index 0000000..e5fbc5e
--- /dev/null
+++ b/test/fixtures/advisories/no-severity-specified.json
@@ -0,0 +1,6 @@
+{
+  "id": 123456789,
+  "url": "https://npmjs.com/advisories/123456789",
+  "title": "No severity, so high severity",
+  "vulnerable_versions": "1.x"
+}
diff --git a/test/fixtures/advisories/no-vulnerable-versions-specified.json b/test/fixtures/advisories/no-vulnerable-versions-specified.json
new file mode 100644
index 0000000..92b402a
--- /dev/null
+++ b/test/fixtures/advisories/no-vulnerable-versions-specified.json
@@ -0,0 +1,6 @@
+{
+  "id": 123456789,
+  "url": "https://npmjs.com/advisories/123456789",
+  "title": "No versions, so all are vulnerable",
+  "severity": "low"
+}