In open-source software (OSS), software vulnerabilities have significantly increased. Although researchers have investigated the perspectives of vulnerability reporters and OSS contributor security practices, understanding the perspectives of OSS maintainers on vulnerability management and platform security features is currently understudied. In this paper, we investigate the perspectives of OSS maintainers who maintain projects listed in the GitHub Advisory Database. We explore this area by conducting two studies: identifying aspects through a listing survey ($n_1=80$) and gathering insights from semi-structured interviews ($n_2=22$). Of the 37 identified aspects, we find that supply chain mistrust and lack of automation for vulnerability management are the most challenging, and barriers to adopting platform security features include a lack of awareness and the perception that they are not necessary. Surprisingly, we find that despite being previously vulnerable, some maintainers still allow public vulnerability reporting, or ignore reports altogether. Based on our findings, we discuss implications for OSS platforms and how the research community can better support OSS vulnerability management efforts.

翻译：在开源软件（OSS）中，软件漏洞已显著增加。尽管研究者已调查过漏洞报告者的观点以及OSS贡献者的安全实践，但目前对OSS维护者在漏洞管理和平台安全功能方面的观点理解仍显不足。本文调查了维护GitHub安全通告数据库中项目的OSS维护者的观点。我们通过两项研究探索这一领域：通过清单调查识别相关方面（$n_1=80$），以及通过半结构化访谈收集深入见解（$n_2=22$）。在已识别的37个方面中，我们发现供应链不信任和漏洞管理自动化缺失是最具挑战性的问题，而采用平台安全功能的主要障碍包括缺乏认知以及认为这些功能并非必要。令人惊讶的是，我们发现尽管曾存在漏洞，部分维护者仍允许公开漏洞报告，或完全忽略报告。基于研究结果，我们讨论了其对OSS平台的启示，以及研究界如何更好地支持OSS漏洞管理工作。