This study investigates the core challenges and needs of open-source maintainers—particularly those lacking security expertise or institutional support—when triaging security reports on bug bounty platforms (e.g., huntr). Employing a mixed-methods approach—including a checklist-based survey (n=51), Likert-scale questionnaire (n=90), and semi-structured interviews (n=17)—it systematically identifies and categorizes 40 key practice characteristics for the first time. Results indicate that private disclosure and increased project visibility yield the greatest benefits; conversely, bounty hunters’ instrumental motivations and reviewer workload constitute the most salient challenges. Notably, CVE assignment support is deemed non-essential, and communication gaps are not perceived as primary barriers. The study proposes evidence-based process optimizations tailored to maintainers’ workflows, offering empirically grounded design principles and practical guidance for vulnerability response platforms.

Researchers have investigated the bug bounty ecosystem from the lens of platforms, programs, and bug hunters. Understanding the perspectives of bug bounty report reviewers, especially those who historically lack a security background and little to no funding for bug hunters, is currently understudied. In this paper, we primarily investigate the perspective of open-source software (OSS) maintainers who have used exttt{huntr}, a bug bounty platform that pays bounties to bug hunters who find security bugs in GitHub projects and have had valid vulnerabilities patched as a result. We address this area by conducting three studies: identifying characteristics through a listing survey ($n_1=51$), their ranked importance with Likert-scale survey data ($n_2=90$), and conducting semi-structured interviews to dive deeper into real-world experiences ($n_3=17$). As a result, we categorize 40 identified characteristics into benefits, challenges, helpful features, and wanted features. We find that private disclosure and project visibility are the most important benefits, while hunters focused on money or CVEs and pressure to review are the most challenging to overcome. Surprisingly, lack of communication with bug hunters is the least challenging, and CVE creation support is the second-least helpful feature for OSS maintainers when reviewing bug bounty reports. We present recommendations to make the bug bounty review process more accommodating to open-source maintainers and identify areas for future work.