Python Security Response Team: New Governance and Growing Membership

Introduction

The Python Security Response Team (PSRT) has reached a significant milestone with the formal approval of its governance structure, as outlined in PEP 811. This development, driven by the work of Seth Larson, the Security Developer-in-Residence at the Python Software Foundation, establishes a transparent and sustainable framework for managing security vulnerabilities in the Python ecosystem. The new governance document not only clarifies the team's relationship with the Python Steering Council but also introduces clear processes for membership, responsibilities, and rotation—balancing security needs with long-term sustainability.

What is the Python Security Response Team?

The PSRT is the frontline defense for Python users worldwide. Composed of dedicated volunteers and paid PSF staff, this team triages, coordinates, and publishes vulnerability reports and fixes. In 2023 alone, the PSRT issued 16 vulnerability advisories for CPython and pip—the highest number in a single year to date. Their work often involves collaborating with project maintainers and external experts to ensure that patches align with existing API conventions, threat models, and maintainability standards. Occasionally, the PSRT also coordinates with other open source projects to prevent ecosystem-wide surprises, such as the recent mitigation of PyPI's ZIP archive differential attack.

New Governance Structure (PEP 811)

Before PEP 811, the PSRT operated without a publicly documented governance model. The new framework addresses this by:

• Publishing a public list of all current PSRT members.
• Defining clear responsibilities for both regular members and administrators.
• Establishing an official onboarding and offboarding process to ensure team sustainability.
• Clarifying the line of authority between the PSRT and the Python Steering Council.

This governance document makes the team's operations more transparent and accountable, while also making it easier to bring in new talent—a critical factor given the growing demands on security teams.

Recent Membership Addition: Jacob Coffee

The new onboarding process is already proving effective. Jacob Coffee, the PSF Infrastructure Engineer, has joined the PSRT as the first non-Release Manager member since Seth Larson's own appointment in 2023. Jacob's expertise will strengthen the team's ability to handle infrastructure-related vulnerabilities and improve coordination with other PSF projects. This addition marks the beginning of a planned expansion to further bolster the sustainability of Python's security work.

How to Join the PSRT

If you're inspired to contribute directly to Python security, the path to membership is now clearly defined. The process mirrors the Core Team nomination system:

1. You must be nominated by an existing PSRT member.
2. Your nomination requires at least two-thirds (⅔) positive votes from current PSRT members.

Importantly, you do not need to be a core developer, triager, or even a team member of any specific Python project. The PSRT values diverse skills and perspectives—whether you come from security research, infrastructure, or community management. If you have experience in vulnerability coordination, incident response, or secure development, consider reaching out to a current PSRT member to discuss a nomination.

Acknowledgments and Future Work

The PSRT's achievements would not be possible without the support of the broader ecosystem. Special thanks to Alpha-Omega, whose sponsorship of Seth Larson's role as Security Developer-in-Residence has been instrumental. Additionally, Seth and Jacob are now working on improving how GitHub Security Advisories are used to record credit for reporters, coordinators, and remediation developers and reviewers. These credits will be mapped to CVE and OSV records, ensuring that everyone involved in private security contributions receives proper recognition—just as public code contributions do.

Celebrating security work is just as important as celebrating new features. The PSRT's new governance and growing membership signal a brighter, more resilient future for Python security.