Joining the Python Security Response Team: Governance, Onboarding, and Impact

The Python Security Response Team (PSRT) has recently undergone significant changes thanks to efforts led by Security Developer-in-Residence Seth Larson. With the approval of PEP 811, the team now operates under a transparent governance structure that clarifies membership, responsibilities, and the relationship with the Python Steering Council. This rewrite provides an engaging Q&A overview covering everything from the team's mission to how new members, like Jacob Coffee, are being onboarded to strengthen Python's security long-term.

1. What is the Python Security Response Team and what does it do?

The Python Security Response Team (PSRT) is a dedicated group of volunteers and paid staff from the Python Software Foundation responsible for triaging and coordinating vulnerability reports and remediations. Their work ensures the security of Python users worldwide. For example, in the past year alone, the PSRT published 16 vulnerability advisories for CPython and pip—a record high. The team doesn’t operate in isolation; coordinators actively involve project maintainers and domain experts to create fixes that respect existing API conventions, threat models, and long-term maintainability. This collaborative approach minimizes disruption for existing use cases while keeping the ecosystem safe. The PSRT also plays a critical role in coordinating with other open-source projects to avoid surprises when advisories affect multiple projects simultaneously.

2. What are the key changes introduced by PEP 811?

PEP 811 establishes an approved public governance document for the PSRT. Key changes include a publicly available list of members, clearly defined responsibilities for both members and admins, and a structured onboarding and offboarding process that balances security needs with team sustainability. The document also formalizes the relationship between the PSRT and the Python Steering Council, ensuring clear lines of authority and communication. This governance overhaul was spearheaded by Security Developer-in-Residence Seth Larson, with support from the Alpha-Omega project, which sponsors his work. The result is a more transparent, resilient team capable of scaling its security efforts as Python’s ecosystem grows.

3. Who recently joined the PSRT and what does this signify?

Jacob Coffee, the PSF Infrastructure Engineer, recently became the first new non-“Release Manager” member of the PSRT since Seth Larson joined in 2023. This milestone demonstrates the new onboarding process in action under PEP 811. Jacob’s addition shows that the PSRT is actively expanding its expertise beyond traditional release management roles, which helps distribute the workload and build long-term sustainability. The team expects more new members to follow, further bolstering security work for the Python programming language. This growth is critical because security depends on having a diverse set of skills and perspectives available to handle vulnerabilities quickly and effectively.

4. How does the PSRT coordinate with other open-source projects?

The PSRT regularly coordinates with other open-source projects to prevent surprises when a vulnerability advisory affects multiple ecosystems. A recent example is the PyPI ZIP archive differential attack mitigation. By collaborating early, the PSRT ensures that fixes are aligned across projects, reducing the risk of incomplete patches or conflicting timelines. Coordinators are encouraged to involve maintainers and security experts from other projects directly in the remediation process. This approach respects each project’s API conventions, threat models, and long-term maintainability, while minimizing negative impact on existing use cases. Such proactive coordination is essential for maintaining trust across the broader Python ecosystem.

5. How are contributions recognized in security work?

PSRT members are developing improved workflows using GitHub Security Advisories to properly record and credit everyone involved in handling vulnerabilities. This includes the reporter, coordinator, and remediation developers and reviewers. The goal is to ensure that information flows into CVE and OSV records so that contributions remain visible and acknowledged. Seth Larson and Jacob Coffee are leading these efforts to give security work the same recognition as code or documentation contributions. By making this attribution transparent, the PSRT encourages more community involvement and highlights the importance of security contributions, which are often private by nature but just as vital to the ecosystem’s health.

6. How can someone join the Python Security Response Team?

Joining the PSRT follows a process similar to the Core Team nomination. You must be nominated by a current PSRT member, and the nomination must receive at least two-thirds positive votes from existing members. Notably, you do not need to be a core developer, team member, or triager to qualify. The team values diverse expertise, including infrastructure engineering, security analysis, and project maintenance. If you’re passionate about Python security and have relevant skills, reach out to a current PSRT member to discuss a nomination. The new governance structure under PEP 811 makes the process clear and fair, helping the team grow sustainably while maintaining high trust levels.