Python Security Response Team Overhauls Governance, Welcomes First New Member in Two Years

Python Security Response Team Announces New Public Governance and First New Member Since 2023

The Python Security Response Team (PSRT) has officially adopted a new public governance framework under PEP 811, marking a significant shift toward transparency and sustainability in managing security vulnerabilities. The first new non-Release Manager member, Jacob Coffee, has joined the team under the revised onboarding process.

“PEP 811 codifies our responsibilities, membership criteria, and onboarding procedures for the first time,” said Seth Larson, Security Developer-in-Residence at the Python Software Foundation. “This ensures the PSRT can scale its work while maintaining the trust of the nearly 16 million Python developers worldwide.”

The governance document clarifies the PSRT’s relationship with the Python Steering Council and mandates a public list of members, documented roles for members and admins, and a clear process for adding and removing members to balance security needs with long-term sustainability.

Background

Until now, the PSRT operated informally, largely composed of CPython Release Managers and a small number of trusted volunteers. Last year the team published 16 vulnerability advisories for CPython and pip—the highest annual count on record—highlighting the growing need for a formal structure.

“Security doesn’t happen by accident,” Larson added. “This governance gives us the framework to triage and coordinate vulnerability reports more efficiently, involving project maintainers and experts to ensure fixes are robust and minimally disruptive.”

The PSRT also coordinates with other open source projects to prevent cascading vulnerabilities, as seen with the recent PyPI ZIP archive differential attack mitigation.

New Member Onboarding Underscores Success

Jacob Coffee, the PSF Infrastructure Engineer, joined the PSRT as the first member admitted under the new PEP 811 process. He is the first non-Release Manager to join since Seth Larson became a member in 2023.

“Having Jacob on board shows the process works,” Larson said. “We expect more members to follow, bringing diverse expertise to keep Python secure.” Coffee will help improve workflows around GitHub Security Advisories, ensuring that all contributors—reporters, coordinators, and remediation developers—are properly credited in CVE and OSV records.

What This Means

The formalized governance means the PSRT can sustainably handle an increasing volume of vulnerability reports while expanding its team. For Python users, this translates to faster, more transparent security patches and fewer disruptions.

“The onboarding process is similar to core team nominations—any existing PSRT member can nominate a candidate, who then needs at least 2/3 approval,” Larson explained. “You don’t need to be a core developer or triager; we value diverse backgrounds.” This opens the door for more community members to contribute directly to Python’s security posture.

The Python Software Foundation thanks Alpha-Omega for sponsoring Seth Larson’s work, which made these governance improvements possible.

How to Get Involved

Interested in joining the PSRT? Reach out to an existing member to discuss a nomination. The team is actively looking for individuals with experience in vulnerability management, software security, and open source collaboration.

For full details, read PEP 811 and the official PSRT governance document.