All About the Python Security Response Team: Governance, Membership, and How to Get Involved
The Python Security Response Team (PSRT) plays a crucial role in keeping the Python ecosystem safe by triaging and coordinating vulnerability reports. Thanks to the work of Security Developer-in-Residence Seth Larson and the support of the Alpha-Omega project, the PSRT recently adopted a formal governance document (PEP 811) and an improved onboarding process. This article answers common questions about the PSRT, its updated structure, and how you can become a member.
What is the Python Security Response Team and why is it important?
The Python Security Response Team (PSRT) is a group of volunteers and paid Python Software Foundation staff responsible for handling security vulnerabilities in the Python language and related projects like pip. Their work includes triaging reports, coordinating fixes, and publishing advisories to keep all users safe. In 2023 alone, the PSRT published 16 vulnerability advisories—the highest number in a single year to date. The team often collaborates with project maintainers and experts to ensure fixes respect existing API conventions, remain maintainable long-term, and minimize impact on existing use cases. The PSRT also coordinates with other open source projects to avoid surprising the ecosystem; a recent example is the PyPI ZIP archive differential attack mitigation. Without the PSRT, security issues would go unmanaged, making this team essential for Python's reliability and trustworthiness.
What recent changes have been made to the PSRT's governance structure?
In 2024, the PSRT adopted a formal governance document called PEP 811, drafted by Security Developer-in-Residence Seth Larson. This document provides a public framework for how the team operates. Key changes include: a public list of members, documented responsibilities for members and admins, and a clear process for onboarding and offboarding members to balance security needs with sustainability. The document also clarifies the relationship between the PSRT and the Python Steering Council. These improvements add transparency and ensure the team can recruit new members while maintaining rigorous security standards.
Who is the new member of the PSRT and what does this signify?
The first person to join the PSRT through the new onboarding process is Jacob Coffee, the PSF Infrastructure Engineer. He is the first new non-Release Manager member since Seth Larson himself joined in 2023. This milestone demonstrates that the updated governance is working effectively. By opening membership beyond release managers, the PSRT can bring in diverse expertise—from infrastructure to security engineering—making the team more resilient and sustainable. More new members are expected to follow, further strengthening Python's security efforts.
How does the PSRT coordinate vulnerability responses with other projects?
The PSRT often collaborates with other open source projects when a vulnerability affects multiple ecosystems. Instead of publishing an advisory in isolation, the team coordinates with upstream and downstream projects to ensure fixes are released simultaneously or in a safe manner. This prevents the Python community from being caught off guard by a disclosure that impacts other tools. A notable example is the coordination around PyPI's ZIP archive differential attack mitigation. By involving experts from affected projects during the remediation process, the PSRT ensures that fixes adhere to existing API conventions, threat models, and maintainability goals while minimizing disruption to users.
How does the PSRT recognize contributors to security work?
Security contributions often happen privately, so the PSRT is working to give proper credit to everyone involved. Seth Larson and Jacob Coffee are developing improvements to workflows using GitHub Security Advisories. These improvements will record the reporter, coordinator, remediation developers, and reviewers. The data will then be included in official records like CVE and OSV entries, ensuring that contributors receive public recognition. This effort highlights that security work deserves the same celebration as source code or documentation contributions, encouraging more people to participate in keeping Python safe.
What is the process to join the PSRT?
Joining the PSRT follows a process similar to the Core Team nomination model. You need an existing PSRT member to nominate you. After the nomination, you must receive at least two-thirds positive votes from the current PSRT members. The process is designed to balance security expertise with team sustainability. You do not need to be a core developer, team member, or triager to qualify; the PSRT values diverse backgrounds. Once nominated and approved, new members are onboarded through a defined process outlined in PEP 811, which includes training and access to security tools.
Do you need to be a core developer to join the PSRT?
No, you do not need to be a core developer to become a member of the PSRT. The team explicitly welcomes individuals from various roles—infrastructure engineers, security researchers, triagers, and others—as long as they bring valuable skills and commitment to Python security. The recent onboarding of Jacob Coffee, an Infrastructure Engineer, illustrates this inclusive approach. The key requirements are a nomination by an existing PSRT member and approval by a two-thirds majority vote. This openness helps the PSRT access a wider pool of expertise and ensures the team can sustain its critical work.