Python Security Response Team Unveils Formal Governance, Welcomes New Member to Bolster Ecosystem Security
Breaking: Python Security Response Team Now Has Formal Governance and a New Member
The Python Security Response Team (PSRT) has officially adopted a public governance document, PEP 811, and added its first new non-Release Manager member since 2023. Jacob Coffee, the Python Software Foundation’s Infrastructure Engineer, joins the team effective immediately, a move the PSF says will enhance the sustainability of security work for the language.
“This governance framework brings much-needed transparency and structure to how we handle vulnerabilities,” said Seth Larson, Security Developer-in-Residence at the Python Software Foundation. “It also makes it easier to bring in skilled volunteers like Jacob without overburdening existing release managers.”
Governance Details
PEP 811, now approved, requires the PSRT to maintain a public roster of members and clearly defines responsibilities for both members and administrators. The document also establishes a formal process for onboarding and offboarding members, balancing security needs with long-term team sustainability.
Additionally, the governance clarifies the relationship between the Python Steering Council and the PSRT, ensuring clear lines of authority and accountability for vulnerability response.
Background: The Role of the PSRT
The Python Security Response Team triages and coordinates vulnerability reports and remediations for CPython and pip, keeping all Python users safe. Last year alone, the team published 16 vulnerability advisories—the highest annual count on record. PSRT coordinators frequently involve project maintainers and subject-matter experts to ensure fixes adhere to existing APIs and threat models while minimizing disruption to users.
The team also coordinates with other open-source projects to prevent ecosystem-wide surprises. A recent example is the mitigation of a ZIP archive differential attack affecting PyPI.
“Security work is often invisible until something goes wrong,” Larson noted. “Formal governance and new members let us scale that invisible work and give proper credit to everyone involved.”
What This Means
The adoption of PEP 811 marks a shift from informal, ad‑hoc security response to a more structured, sustainable model. By publishing membership lists and responsibilities, the team increases accountability and encourages broader community participation. Jacob Coffee’s membership signals a growing investment in infrastructure security by the PSF, supported by sponsors like Alpha‑Omega, which funds Larson’s role.
Moving forward, the PSRT is expected to onboard additional non‑Release Manager members, further strengthening the security posture of Python as its user base expands.
How to Join
Interested contributors can join the PSRT via a nomination process similar to the Core Team’s: an existing PSRT member must nominate you, and the nomination requires at least two‑thirds positive votes from current members. You do not need to be a core developer or maintainer to be considered.
“We’re looking for people with security expertise, not just Python commit access,” Larson said. “If you’ve handled vulnerability disclosures before, reach out to a current member.”