5 Key Facts About the Python Security Response Team (And How You Can Join)
The Python Security Response Team (PSRT) has undergone a major transformation thanks to the efforts of Seth Larson, the Security Developer-in-Residence. Now operating under an approved public governance document (PEP 811), the team is more transparent and sustainable than ever. This listicle breaks down the most important changes, the team's crucial role, and the straightforward path to becoming a member yourself.
1. A New Governance Framework (PEP 811)
The PSRT now has a formal charter outlined in PEP 811, which was developed by Seth Larson and approved by the Python Steering Council. This document brings structure to a team that previously operated on informal norms. Key provisions include a public member roster, clear responsibilities for both members and administrators, and a defined onboarding and offboarding process that balances security needs with long-term sustainability. The governance also clarifies the relationship between the Python Steering Council and the PSRT, ensuring accountability and smooth decision-making. This transparency is a major step forward for the Python ecosystem, making it easier for volunteers and organizations to understand who handles vulnerability reports and how the team operates.
2. The Team's Critical Role in Python Security
Security doesn't happen by accident. The PSRT is a mix of volunteers and paid Python Software Foundation staff who triage, coordinate, and remediate vulnerability reports. In the past year alone, the team published 16 vulnerability advisories for CPython and pip — the most ever in a single year. These advisories protect millions of users worldwide. The team rarely works in isolation; coordinators actively involve project maintainers and subject-matter experts to ensure fixes respect existing APIs, threat models, and maintainability. They also coordinate with other open-source projects to avoid chain reactions, as seen with the PyPI ZIP archive differential attack mitigation. This collaborative approach keeps the entire Python ecosystem resilient.
3. A Milestone: Jacob Coffee Joins as First Non-Release Manager Member
The new onboarding process is already bearing fruit. Jacob Coffee, the PSF Infrastructure Engineer, has joined the PSRT as the first new member who is not a release manager since Seth Larson joined in 2023. This is a significant milestone because it demonstrates that the PSRT is opening its doors to a wider range of expertise beyond core release management. Jacob’s background in infrastructure will bring valuable perspective to security operations. The team expects additional members to join soon, further strengthening the sustainability of Python security work. This expansion is partly supported by Alpha-Omega, which sponsors Seth’s role as Security Developer-in-Residence.
4. Recognition and Credit for Hidden Contributions
Security work often remains in the shadows, but Seth and Jacob are changing that. They are improving workflows around GitHub Security Advisories (GHSA) to record the reporter, coordinator, and remediation developers and reviewers. This data will flow into CVE and OSV records, ensuring that everyone who contributes to private vulnerability handling receives proper credit. This recognition is long overdue — just as source code contributions are celebrated, so too should security improvements. By making these contributions visible, the PSRT encourages more volunteers to participate and acknowledges the critical work that keeps Python safe.
5. How You Can Join the Team
Interested in directly helping secure Python? The membership process mirrors the Core Team nomination system. You need to be nominated by an existing PSRT member, and your nomination must receive at least a ⅔ positive vote from current members. Importantly, you do not need to be a core developer, triager, or release manager — diverse skills are welcome. Whether you're an expert in cryptography, infrastructure, or vulnerability analysis, the team values fresh perspectives. If you think you can contribute, reach out to a current member and express your interest. The PSRT is actively looking to expand its ranks to ensure long-term sustainability.
The Python Security Response Team is evolving into a more transparent, inclusive, and sustainable force for good. With new governance, fresh members, and a clear path to joining, now is the perfect time to get involved. Thanks to the support of Alpha-Omega and the dedication of volunteers, Python’s security future looks brighter than ever.