How to Become Part of the Python Security Response Team: Governance, Onboarding, and Impact
The Python Security Response Team (PSRT) has long been the backbone of vulnerability handling for the Python ecosystem. Recent developments, including the formal governance document PEP 811 and the onboarding of Jacob Coffee as the first non-Release Manager member since 2023, mark a new era of transparency and sustainability. With support from sponsors like Alpha-Omega, the PSRT is stronger than ever. Below, we answer key questions about the team, its processes, and how you can get involved.
What is the Python Security Response Team (PSRT) and why does it matter?
The PSRT is a dedicated group of volunteers and paid Python Software Foundation staff who triage and coordinate vulnerability reports and remediations for the Python ecosystem. Their work keeps millions of Python users safe by ensuring security issues are handled privately and patches are released promptly. Just last year, the PSRT published 16 vulnerability advisories for CPython and pip—the most in a single year to date. This is no small feat; it involves coordinating with maintainers, reviewing fixes for API compatibility and maintainability, and sometimes alerting other open source projects about cross-project impacts. Without the PSRT, many vulnerabilities could go unaddressed or be disclosed prematurely, putting entire systems at risk.
What governance changes came with PEP 811?
PEP 811 introduced a formal governance structure for the PSRT, making its operations more transparent and sustainable. Key changes include: a public list of members, documented responsibilities for both members and admins, and a defined process for onboarding and offboarding team members. The document also clarifies the relationship between the PSRT and the Python Steering Council, ensuring accountability while preserving the team’s independence in security decisions. This governance update balances the need for security (limited access) with the need for sustainability (adding new members over time). It’s a major step toward making the PSRT’s work more visible and reproducible.
How are new PSRT members onboarded?
The onboarding process is straightforward but deliberate. An existing PSRT member must nominate you, and then the nomination requires at least a ⅔ positive vote from current members. You do not need to be a core developer or even a triager to qualify—skills and dedication matter more than formal titles. A recent example is Jacob Coffee, the PSF Infrastructure Engineer, who became the first non-Release Manager member since Seth Larson joined in 2023. This new process ensures the team stays diverse and capable while maintaining trust and security. Once onboarded, members help triage reports, coordinate fixes, and often mentor newer volunteers.
How does the PSRT collaborate with other open source projects?
Security rarely exists in isolation. The PSRT actively involves maintainers and experts from affected projects during the remediation process. This ensures patches align with existing API conventions, threat models, and long-term maintainability. Additionally, the PSRT coordinates with other open source projects to avoid surprising the broader ecosystem. For example, when addressing the PyPI ZIP archive differential attack, the team worked with PyPI maintainers to deliver coordinated advisories. By sharing insights and timing, they reduce the chance of partial fixes or incomplete disclosures.
What support does the PSRT receive from sponsors and volunteers?
The PSRT’s work is powered by a mix of volunteers and sponsored staff. Alpha-Omega has been a key sponsor, funding Seth Larson as the Security Developer-in-Residence at the Python Software Foundation. This role allows dedicated, full-time attention to security processes, tooling improvements (like GitHub Security Advisories integration), and team coordination. Despite this support, the team always welcomes more volunteers—especially those with experience in vulnerability handling or project maintenance. New members help distribute the workload and ensure the team can handle the growing number of reports while maintaining sustainability.
How can I join the PSRT and get recognition for my work?
If you’re interested in directly helping secure Python, the path is clear: get nominated by a current PSRT member, then receive at least ⅔ approval from the team. Build relationships by contributing to Python’s security ecosystem—report responsibly, triage issues, or help draft patches. Once you’re a member, your contributions are increasingly recorded and credited: Seth Larson and Jacob Coffee are developing workflows that embed reporter, coordinator, and developer names into CVE and OSV records via GitHub Security Advisories. This ensures that even private security work receives public recognition, celebrating the efforts that keep Python safe for everyone.