diff --git a/datastore/postgres/migrations/matcher/18-vulnerability-not.sql b/datastore/postgres/migrations/matcher/18-vulnerability-not.sql
new file mode 100644
index 000000000..1a08e37bc
--- /dev/null
+++ b/datastore/postgres/migrations/matcher/18-vulnerability-not.sql
@@ -0,0 +1,4 @@
+ALTER TABLE vuln
+ADD COLUMN IF NOT EXISTS not_vulnerable BOOLEAN NOT NULL DEFAULT false;
+
+COMMENT ON COLUMN vuln.not_vulnerable IS 'Invert the meaning of the record: assert that described versions are not vulnerable.';
diff --git a/vulnerability.go b/vulnerability.go
index d16f1914f..d78cc1cb2 100644
--- a/vulnerability.go
+++ b/vulnerability.go
@@ -50,6 +50,10 @@ type Vulnerability struct {
 	// For instances from a claircore "datastore" implementation, this will also
 	// include the "Self" alias.
 	Aliases []Alias
+
+	// Invert means this Vulnerability should be interpreted as an assertion
+	// that matched packages are NOT vulnerable to the indicated flaw.
+	Invert bool
 }
 
 // CheckVulnernableFunc takes a vulnerability and an indexRecord and checks if the record is