I've a query around software that is provisioned via the package feed module.

In a world where there is a big focus on risk, vulnerabilities and cyber security - can you let me know if the software that can enter an organization via the package feed module is scanned for vulnerabilities or does each package have a risk or vulnerability rating associated with it?