The Python Security Response Team (PSRT) is the front line of defense for the Python ecosystem, handling vulnerability reports and coordinating fixes. Recently, the team has undergone a major governance update with the approval of PEP 811, making its operations more transparent and sustainable. This Q&A covers everything you need to know about the PSRT, from its new public membership list to the onboarding process—and how you can become a part of this critical security work.
What is the Python Security Response Team and why is it important?
The PSRT is a dedicated group of volunteers and paid Python Software Foundation (PSF) staff who triage and coordinate vulnerability reports for CPython, pip, and other ecosystem projects. Without their efforts, security issues could go unaddressed or be mishandled. In 2023 alone, the team published 16 vulnerability advisories—the highest number in a single year to date. The PSRT also works closely with project maintainers and external experts to ensure that fixes follow existing API conventions, maintain long-term stability, and minimize disruption. Their role is critical to keeping millions of Python users safe.
What new governance changes have been made to the PSRT?
PEP 811, authored by Security Developer-in-Residence Seth Larson, established a formal public governance document for the PSRT. Under this new structure, the team now publishes an open list of members, documents the responsibilities of both members and admins, and defines a clear process for onboarding and offboarding. This balances the needs of security (keeping sensitive work private) with sustainability (ensuring the team can grow and refresh over time). The document also clarifies the relationship between the Python Steering Council and the PSRT, ensuring proper oversight without micromanagement.
Who has recently joined the PSRT and how does the onboarding work?
Jacob Coffee, the PSF Infrastructure Engineer, became the first new non-Release Manager member to join the PSRT since Seth Larson joined in 2023. Jacob’s onboarding followed the newly defined process in PEP 811, which requires an existing PSRT member to nominate a candidate and then receive at least ⅔ positive votes from current members. This approach ensures that new members are carefully vetted while making the team more sustainable. More members are expected to join soon, bolstering the resilience of Python ecosystem security.
How does PSRT coordinate with other open source projects?
Often, vulnerabilities affect multiple projects across the Python ecosystem. The PSRT actively coordinates with maintainers of other open source software to avoid surprises. A recent example is the PyPI ZIP archive differential attack mitigation, where the PSRT worked with PyPI and other projects to roll out coordinated fixes. By involving experts from affected projects early in the remediation process, the team ensures that patches are secure, maintainable, and compatible with existing workflows. This collaborative approach prevents security gaps that could otherwise emerge from disjointed disclosures.
How can I join the Python Security Response Team?
Membership on the PSRT is open to more than just core developers. You do not need to be a core developer, team member, or triager to apply. The process mirrors the Core Team nomination process: a current PSRT member must nominate you, and then the nominee needs at least ⅔ positive votes from existing members. If you have a background in security, open source maintenance, or incident response, consider reaching out to a current PSRT member to express your interest. The team values diverse skills and perspectives to strengthen Python’s security posture.
How does the PSRT ensure proper credit for vulnerability reports and fixes?
Seth Larson and Jacob Coffee are developing improvements to the workflow around GitHub Security Advisories. These improvements will record the reporter, coordinator, and remediation developers and reviewers directly into CVE and OSV records. This means that the people who contribute to private vulnerability handling—often invisible to the public—will receive proper recognition. By celebrating these contributions just like source code or documentation improvements, the PSF aims to motivate more volunteers and professionals to join the security effort.