Introduction
The Python Security Response Team (PSRT) is the frontline defense for the Python ecosystem, handling vulnerability reports and coordinating fixes to keep millions of users safe. With the recent approval of PEP 811, the PSRT now operates under a clearer public governance structure, complete with an open membership list, defined roles, and a formal onboarding process. This new framework balances security needs with sustainability, making it easier than ever for qualified volunteers and staff to contribute. In fact, the PSF Infrastructure Engineer Jacob Coffee recently became the first new non-Release Manager member since 2023, demonstrating the process works. If you’re passionate about Python security, this guide will walk you through exactly how to join the PSRT.
What You Need
- Existing PSRT member sponsorship: You cannot apply directly — you must be nominated by a current PSRT member.
- At least ⅔ positive votes from the current PSRT membership during the nomination process.
- No requirement to be a core developer: You do not need to be a CPython core developer, triager, or even a team member. Security skills and dedication are what matter.
- Familiarity with Python security practices — understanding vulnerability handling, CVEs, and open-source security workflows is helpful.
- Commitment to collaboration: The PSRT works closely with maintainers, experts, and sometimes other open-source projects.
Step-by-Step Guide
Step 1: Understand the PSRT’s Role and Responsibilities
Before pursuing membership, you must grasp what the PSRT does. The team triages and coordinates vulnerability reports, publishes advisories (like the 16 issued last year for CPython and pip), and works with maintainers to ensure patches align with API conventions, threat models, and long-term maintainability. They also coordinate across projects — such as the recent ZIP archive differential attack mitigation for PyPI. Recognize that much of this work happens privately and deserves the same recognition as open-source code contributions. Familiarize yourself with the PEP 811 governance document to understand the team’s structure and relationship with the Python Steering Council.
Step 2: Build Relationships with Current PSRT Members
Since nomination requires a current member to sponsor you, you need to connect with the team. Attend Python security discussions, participate in relevant mailing lists (like security-sig), or contribute to security-related issues on CPython or pip. If you’ve already collaborated on security work (e.g., reporting vulnerabilities, reviewing patches), that’s a strong foundation. The PSRT members listed on the public membership page are your potential nominators. Engage with them constructively — show your expertise and reliability.
Step 3: Get Nominated by a Current PSRT Member
Once you have a supporter, they will formally nominate you. The nomination process mirrors the Core Team nomination process. Your nominator will present your case to the team, detailing your contributions, skills, and why you’d strengthen the PSRT. No formal application exists — this step relies entirely on peer recognition.
Step 4: Receive Approval from the PSRT Membership
After nomination, the current PSRT members vote. You need at least ⅔ positive votes to be accepted. This threshold ensures consensus while filling critical roles. The vote is conducted privately to encourage honest feedback. If approved, you’re officially a member! If not, don’t be discouraged — ask for feedback, improve, and try again later.
Step 5: Complete the Onboarding Process
Once voted in, you’ll undergo onboarding as defined in PEP 811. This includes learning the team’s workflows, tools (like GitHub Security Advisories), and coordination procedures. Seth Larson and Jacob Coffee are developing improved processes to record reporters, coordinators, and developers in CVE and OSV records, giving proper credit. You’ll start handling real incidents alongside experienced members. The team values sustainability, so you’ll be supported while balancing security work.
Tips for Success
- Show consistency: Regularly contribute to Python security even before nomination — it builds trust.
- Understand the “why”: The PSRT often involves external projects; being able to collaborate across ecosystems is key.
- Celebrate contributions: Seth and Jacob are highlighting the human effort behind security — do the same for others and yourself.
- Leverage Alpha-Omega support: This organization sponsors the Security Developer-in-Residence role. Stay informed about their initiatives to align your efforts.
- Be patient: The process is new but already working — Jacob Coffee’s addition proves it. Persistence pays off.
Joining the Python Security Response Team is a rewarding way to protect the entire Python ecosystem. With the new governance in place and a clear path forward, there’s never been a better time to step up. Start building your connections today!