Python Security Response Team: Governance, Growth, and How to Get Involved

The Python Security Response Team (PSRT) has long been the silent guardian of the Python ecosystem, handling vulnerability reports and coordinating fixes. Thanks to the work of Security Developer-in-Residence Seth Larson, the team has recently adopted a formal governance model under PEP 811. This new framework brings transparency with a public member list, clear responsibilities, and a structured onboarding process. The first to benefit from this process is Jacob Coffee, the PSF Infrastructure Engineer, who became the first non-Release Manager member since Seth joined in 2023. With support from Alpha-Omega, the PSRT is becoming more sustainable. Here are common questions about the team, its work, and how you can join.

What is the Python Security Response Team (PSRT)?

The PSRT is a dedicated group of volunteers and paid Python Software Foundation staff who triage and coordinate vulnerability reports and remediations for the Python ecosystem. They ensure that security issues are handled promptly and responsibly, keeping all Python users safe. In the past year alone, the team published 16 vulnerability advisories for CPython and pip — the highest number in a single year. The team does not work in isolation; coordinators involve project maintainers and subject-matter experts to craft fixes that respect existing APIs, threat models, and long-term maintainability. This collaborative approach minimises disruption while maximising security.

Python Security Response Team: Governance, Growth, and How to Get Involved

What recent governance changes have been made to the PSRT?

Thanks to Seth Larson, the PSRT now operates under PEP 811, an approved public governance document. This document outlines the team's structure: it mandates a public list of members, clearly defines responsibilities for both members and admins, and establishes a formal process for onboarding and offboarding. It also clarifies the relationship between the PSRT and the Python Steering Council. This move balances the need for security — which often requires discretion — with the sustainability of the team, ensuring that new members can join and existing members can step away gracefully. The new onboarding process is already in action, as evidenced by Jacob Coffee's recent addition.

Who has recently joined the PSRT and why is this significant?

Jacob Coffee, the PSF Infrastructure Engineer, has joined the PSRT using the new onboarding process. This is significant because he is the first non-Release Manager to become a member since Seth Larson joined in 2023. Previously, the team was largely composed of release managers, which limited the diversity of expertise. Jacob's infrastructure background brings fresh perspectives to security workflows. His addition is a testament to the new governance model that allows the team to grow sustainably. The PSF expects more members to follow, further strengthening the Python ecosystem's security posture.

How does the PSRT handle vulnerability reports?

When a vulnerability report comes in, the PSRT triages it to assess severity and impact. Coordinators then involve relevant maintainers and experts from the affected project or submodule. This ensures that any fix aligns with existing API conventions, threat models, and long-term maintenance goals. The goal is to minimise disruption to existing use cases while effectively addressing the issue. The entire process is documented within GitHub Security Advisories, which record the reporter, coordinator, and developers who contributed to the fix. This careful documentation helps attribute credit and ensures transparency after the advisory is published.

How does the PSRT collaborate with other open source projects?

The PSRT often coordinates with other open source projects when a vulnerability affects multiple ecosystems. By sharing information and timing releases, they prevent the Python community from being caught off guard. A recent example is the PyPI ZIP archive differential attack mitigation, where coordination across projects was essential. This cross-project collaboration is a hallmark of responsible disclosure: it ensures that fixes are available simultaneously, reducing the window of exposure. The team also works closely with the Python Software Foundation and external partners like Alpha-Omega, which funds Seth Larson's role as Security Developer-in-Residence.

How is the work of the PSRT recognised?

Security work often happens behind closed doors, making it easy to overlook. To change that, Seth Larson and Jacob Coffee are improving workflows to ensure that every contributor to vulnerability remediation receives proper credit. Using GitHub Security Advisories, they record the reporter, coordinator, and remediation developers and reviewers. This information is then tied to CVE and OSV records. The goal is to make private contributions visible and celebrated, just like code commits or documentation updates. This recognition not only shows appreciation but also encourages more people to participate in security tasks.

How can I join the Python Security Response Team?

If you're interested in contributing directly to Python's security, the process is similar to the Core Team nomination. You need an existing PSRT member to nominate you. Your nomination must then receive at least two-thirds positive votes from the current members. You do not need to be a core developer, triager, or even a team member of any Python project — the team values diverse backgrounds and expertise. What matters is your commitment to security and ability to handle sensitive information. If you have experience with vulnerability handling, infrastructure, or even communication, consider reaching out to a current PSRT member to start the nomination process.

Tags: