This study investigates the practical challenges faced by open-source software maintainers in responding to security vulnerabilities and leveraging platform security features within the GitHub Advisory Database, aiming to mitigate two core challenges: supply-chain distrust and insufficient automation in governance. Through a structured survey of 80 maintainers and in-depth interviews with 22, complemented by thematic coding and grounded theory analysis, the work systematically identifies 37 key practice dimensions—revealing counterintuitive phenomena such as “tolerating public vulnerability disclosure” and “ignoring known vulnerabilities.” Five major barrier categories are synthesized (e.g., inadequate awareness of security features, misjudgment of their necessity). Based on these findings, the study proposes actionable, evidence-based recommendations for platform design improvements and enhanced community support, advancing a maintainer-centric paradigm shift in vulnerability governance.

In open-source software (OSS), software vulnerabilities have significantly increased. Although researchers have investigated the perspectives of vulnerability reporters and OSS contributor security practices, understanding the perspectives of OSS maintainers on vulnerability management and platform security features is currently understudied. In this paper, we investigate the perspectives of OSS maintainers who maintain projects listed in the GitHub Advisory Database. We explore this area by conducting two studies: identifying aspects through a listing survey ($n_1=80$) and gathering insights from semi-structured interviews ($n_2=22$). Of the 37 identified aspects, we find that supply chain mistrust and lack of automation for vulnerability management are the most challenging, and barriers to adopting platform security features include a lack of awareness and the perception that they are not necessary. Surprisingly, we find that despite being previously vulnerable, some maintainers still allow public vulnerability reporting, or ignore reports altogether. Based on our findings, we discuss implications for OSS platforms and how the research community can better support OSS vulnerability management efforts.