Python Security Response Team Unveils New Governance, Onboards First New Member in Two Years
Breaking: Python Security Response Team Adopts Formal Governance, Welcomes New Member
The Python Security Response Team (PSRT) has officially approved a public governance document (PEP 811), marking a major step forward in the sustainability and transparency of Python's security operations. The new framework establishes clear membership lists, defined responsibilities, and a formal onboarding process.
In a significant milestone, Jacob Coffee, the Python Software Foundation (PSF) Infrastructure Engineer, has become the first new non-Release Manager member to join the PSRT since Seth Larson was appointed Security Developer-in-Residence in 2023. "This onboarding process is already proving its value," said Seth Larson. "We're building a more resilient security team for the future."
The governance document also clarifies the relationship between the Python Steering Council and the PSRT, ensuring coordinated oversight of vulnerability responses.
Background: Why Governance Matters
Security doesn't happen by accident. For years, the PSRT relied on informal processes and a small core of volunteers to triage and coordinate vulnerability fixes. Last year, the team published a record 16 advisories for CPython and pip — the most in a single year — highlighting the growing need for structured operations.
The new PEP 811 codifies how members are added and removed, balancing security strictness with team sustainability. "We needed a process that could scale without compromising confidentiality," Larson explained.
The PSRT's work is supported by the Alpha-Omega project, which funds Larson's role and underscores the collaborative effort behind Python ecosystem security.
What This Means for Python Security
The formalized governance ensures faster, more reliable vulnerability handling. With clear roles for admins and members, the PSRT can now expand its talent pool beyond Release Managers. Jacob Coffee's appointment is the first fruit of this policy.
Additionally, the document strengthens the PSRT's ability to coordinate with external projects. Recent cross-project advisories, such as the PyPI ZIP archive differential attack mitigation, show the ecosystem-wide impact of these changes.
Larson also highlighted better attribution for contributors: "We're improving how we record reporter, coordinator, and developer credits in CVE and OSV records. Security contributions deserve recognition just like code commits."
How the PSRT Operates
The PSRT triages and coordinates vulnerability reports and remediations for CPython and pip. Key aspects of their work include:
- Triage and prioritization of incoming vulnerability reports.
- Coordinating fixes with project maintainers and subject-matter experts.
- Publishing advisories and CVEs in a timely manner.
- Cross-project collaboration to avoid cascading security issues.
Jacob Coffee, the new member, brings infrastructure expertise to the team. "I'm excited to contribute to the team's new direction," said Coffee. "The governance framework makes it easier to hit the ground running."
How You Can Join the PSRT
The PSRT is actively seeking new members beyond core developers. The nomination process requires a current PSRT member to nominate you, followed by a two-thirds majority vote. You do not need to be a core developer, team member, or triager — maintainers and experts from across the Python ecosystem are welcome.
Interested individuals should connect with existing PSRT members or watch for public opportunities. "Your expertise could help secure the Python that powers millions of projects," Larson encouraged.
Looking Ahead
Further improvements to workflows involving GitHub Security Advisories are in development, aiming to record all contributors—from reporters to remediators—in CVE and OSV records. This ensures that private contributions to open source security are properly credited.
With PEP 811 in place and a growing team, the PSRT is better equipped than ever to protect the Python ecosystem. The combination of formal governance, dedicated staffing, and community involvement promises a safer future for millions of Python users worldwide.