How to Become a Member of the Python Security Response Team: A Complete Guide

Overview

The Python Security Response Team (PSRT) is the frontline defense for the Python ecosystem. Composed of volunteers and paid staff from the Python Software Foundation (PSF), the PSRT triages, coordinates, and remediates vulnerability reports that affect CPython, pip, and other core Python projects. In 2023 alone, the team published 16 advisories—the highest number in a single year—demonstrating the growing importance of structured security response.

Recent governance changes, formalized in PEP 811, have made the PSRT more transparent and sustainable. The team now publishes a public membership list, documents member and admin responsibilities, and has a clear onboarding/offboarding process. This guide will walk you through everything you need to know about joining the PSRT, from prerequisites to the nomination and voting procedure.

Prerequisites

Before you consider applying, make sure you meet the following criteria:

• No requirement to be a core developer: You do not need to be a Python core developer, triager, or even a project maintainer. What matters is your ability to handle sensitive security information and collaborate effectively.
• Security expertise or willingness to learn: Familiarity with common vulnerabilities (e.g., CWE categories), CVSS scoring, and secure coding practices is helpful. The PSRT often handles memory-safety issues in CPython or supply-chain attacks in pip.
• Time commitment: Expect to dedicate several hours per month to triage, coordinate with project maintainers, and participate in private discussions. During critical vulnerabilities, the time demand can spike.
• Trust and reliability: PSRT members must be able to keep embargoed information confidential and follow responsible disclosure guidelines.

No formal Application Form exists—the process is invitation-based, similar to the Python Core Team nomination process.

Step-by-Step Instructions

1. Build Your Security Reputation

PSRT members are nominated by existing members, so you need to be known in the Python security community. Here's how:

• Report vulnerabilities to the PSRT via the official security contact.
• Participate in public security discussions on the security-sig mailing list or on GitHub issues related to security patches.
• Contribute to security-related projects like bandit, safety, or pip-audit.
• Attend Python security sprints or conferences (e.g., PyCon US security track).

2. Get Sponsored or Noticed

The only formal path to membership is a nomination from a current PSRT member. To increase your chances:

• Reach out to the Security Developer-in-Residence (currently Seth Larson) or other known members. Introduce yourself and express interest.
• Offer to help with ongoing security tasks, such as triaging a low-severity report or reviewing a patch.
• Demonstrate reliability by consistently following through on small tasks.

3. The Nomination Process

Once a PSRT member decides to nominate you, they will:

1. Prepare a nomination statement describing your contributions, security background, and why you'd be a good fit.
2. Submit the nomination privately to the PSRT mailing list (accessible only to current members).
3. Await voting: The team has 14 days to vote. At least ⅔ of current members must approve for the nomination to succeed.

Note: The exact voting procedure is documented in PEP 811. If you're nominated, you'll be informed by the team once the vote concludes.

4. Onboarding (If Accepted)

After a successful vote, you'll follow the new onboarding process defined in PEP 811:

• Access to private channels: You'll be added to the PSRT's private mailing list, Slack (or other chat), and the vulnerability tracking system.
• Training: A senior member will brief you on handling embargoed reports, using the advisory workflow (e.g., GitHub Security Advisories), and coordinating with project maintainers.
• First assignment: Shadow a coordinator on a low-severity issue before taking on your own cases.

Common Mistakes

Mistake 1: Assuming You Must Be a Core Developer

Many talented security engineers assume they need commit access to CPython to join. In reality, the PSRT values diverse skills: penetration testing, cryptography, supply-chain analysis, or even community management. As long as you can handle sensitive information, you're welcome.

Mistake 2: Trying to Join Without Any Track Record

Because the nomination relies on existing members, you must make yourself visible. Sending a cold email saying “I want to join” is rarely effective. Build relationships first—report bugs, write security tooling, or assist with existing issues.

Mistake 3: Underestimating the Time Commitment

PSRT work isn't occasional. When a critical vulnerability (like a buffer overflow in socket) is reported, expect intense, time-sensitive coordination that may last days. If you cannot commit to occasional urgent workloads, reconsider.

Mistake 4: Ignoring the Governance Document (PEP 811)

Many prospective members skip reading PEP 811. This document outlines your rights, responsibilities, and the relationship between the PSRT and the Python Steering Council. Understanding it demonstrates professionalism and helps avoid confusion later.

Summary

Joining the Python Security Response Team is a meaningful way to give back to the ecosystem while working on high-impact security challenges. The path is clear: build a reputation, get noticed by a current member, go through the nomination and voting process (requiring ⅔ approval), and then onboard using the new PEP 811 framework. Remember, you don't need to be a core developer—just a dedicated security practitioner willing to coordinate and keep Python users safe.

Keywords: Python Security Response Team, PSRT, PEP 811, vulnerability response, security team membership