This study investigates the mechanisms and root causes of low vulnerability notification (VN) remediation rates among shared hosting providers (HPOs). Through semi-structured interviews with 24 HPOs of varying scales, we conduct a qualitative analysis of how organizational structure, service models, and security responsibility allocation influence VN response. We find that although VNs are received reliably, remediation remains persistently low due to three interrelated factors: (1) customers’ exclusive responsibility for application-layer security, (2) constrained operational resources, and (3) rigid demarcation of security accountability—collectively undermining both motivation and capacity for proactive remediation. This reveals a structural misalignment in security incentives between HPOs and their customers. To our knowledge, this is the first study to uncover the organizational drivers of VN inefficacy, moving beyond prior technical-centric approaches. Our findings provide both theoretical grounding and actionable strategies for improving large-scale, cross-stakeholder vulnerability coordination.

Large-scale vulnerability notifications (VNs) can help hosting provider organizations (HPOs) identify and remediate security vulnerabilities that attackers can exploit in data breaches or phishing campaigns. Previous VN studies have primarily focused on factors under the control of reporters, such as sender reputation, email formatting, and communication channels. Despite these efforts, remediation rates for vulnerability notifications continue to remain consistently low. This paper presents the first in-depth study of how HPOs process vulnerability notifications internally and what organizational and operational factors influence VN effectiveness. We examine the problem from a different perspective to provide the first detailed understanding of the reasons behind persistently low remediation rates. Instead of manipulating parameters of VN campaigns, we interview hosting providers directly, investigating how they handle vulnerability notifications and what factors may influence VN effectiveness, such as VN awareness and reachability, HPOs' service models, and perceived security risks. We conducted semi-structured interviews with 24 HPOs across shared hosting and web development services, representing varied company sizes and operator roles. Our findings reveal practical insights on VN processing and abuse workflows. While some providers remain hard to reach due to complex infrastructures, most report routinely handling VNs. However, limited remediation often stems from strict responsibility boundaries, where web application issues are seen as the customer's domain. Low hosting fees and high volumes of daily compromises further discourage both proactive and reactive measures. Our findings show that HPOs blame negligent website owners, and prior works on website owners confirms they often undervalue their sites or lack security know-how.