Inside the Python Security Response Team: Governance, Growth, and How to Get Involved

The Python Security Response Team (PSRT) has recently reached a major milestone with the formal approval of PEP 811, a governance document that outlines its structure, responsibilities, and membership processes. This evolution, driven by Security Developer-in-Residence Seth Larson, brings transparency and sustainability to the team that keeps Python users safe. Below, we explore what the PSRT does, how it's changing, and how you can become part of this vital effort.

What is the Python Security Response Team (PSRT)?

The PSRT is a dedicated group of volunteers and paid Python Software Foundation (PSF) staff who triage, coordinate, and remediate security vulnerabilities affecting the Python ecosystem. They handle reports for CPython, pip, and other core projects, ensuring that security issues are addressed quickly and responsibly. In 2023 alone, the PSRT published 16 vulnerability advisories—the highest number in a single year to date. The team often collaborates with project maintainers and experts to design fixes that respect existing APIs, threat models, and long-term maintainability. They also coordinate with other open source projects to prevent ecosystem-wide surprises, as seen with the PyPI ZIP archive differential attack mitigation.

What is PEP 811 and why is it important?

PEP 811 is the newly approved governance document for the PSRT. It formalizes the team's structure by mandating a public list of members, documenting administrative and member responsibilities, and establishing clear processes for onboarding and offboarding. This framework balances the often conflicting needs of security—where secrecy is sometimes necessary—and team sustainability, ensuring members aren't overburdened. The document also clarifies the relationship between the PSRT and the Python Steering Council, providing a transparent chain of accountability. This governance update was championed by Seth Larson, the Security Developer-in-Residence, and marks a significant step toward making security work more sustainable for the Python language.

Who recently joined the PSRT and what does this signify?

Jacob Coffee, the PSF Infrastructure Engineer, has become the first new non-Release Manager member of the PSRT since Seth Larson joined in 2023. This milestone demonstrates that the new onboarding process, defined in PEP 811, is already working effectively. Jacob's addition strengthens the team's capacity to handle security incidents and infrastructure-related vulnerabilities. His role reflects a broader push to diversify membership beyond traditional Release Managers, bringing in experts from other critical areas like infrastructure. The expectation is that more new members will follow, further bolstering the long-term sustainability of Python's security response capabilities.

How does the PSRT coordinate with other maintainers and projects?

The PSRT rarely works in isolation. Coordinators are encouraged to involve maintainers and domain experts directly in the remediation process. This ensures that security fixes align with existing API conventions, threat models, and are maintainable over the long term with minimal disruption to users. When a vulnerability affects multiple open source projects, the PSRT coordinates with those projects to publish advisories simultaneously, preventing any single ecosystem from being caught off guard. A recent example is the coordination around PyPI's ZIP archive differential attack mitigation, which required collaboration across several tools and platforms to address a cross-cutting security flaw.

How are contributions to security work recognized?

Historically, security contributions have been less visible than code or documentation improvements. Seth Larson and Jacob Coffee are developing improvements to workflows involving GitHub Security Advisories to record the reporter, coordinator, and remediation developers and reviewers. This information will be included in CVE and OSV records, giving proper credit to everyone involved in these often private contributions. The goal is to celebrate and acknowledge security work just as openly as other types of open source contributions, highlighting the critical role these volunteers and staff play in keeping Python safe.

How can I join the Python Security Response Team?

Joining the PSRT requires a nomination from an existing team member. The nomination must then receive at least two-thirds positive votes from the current PSRT members, a process similar to the Python Core Team nomination process. Importantly, you do not need to be a core developer, team member, or triager to be considered. The PSRT values diverse expertise, including infrastructure, security analysis, and coordination skills. If you're interested in directly helping make Python more secure, start by contributing to security-related discussions, building relationships with current members, and demonstrating your expertise in vulnerability handling or related areas.

What support does the PSRT receive from organizations like Alpha-Omega?

The Alpha-Omega project has been a key supporter of Python ecosystem security. They sponsor Seth Larson's role as Security Developer-in-Residence at the Python Software Foundation, enabling dedicated, full-time attention to security governance, coordination, and improvements like PEP 811. This funding is critical because security work often requires sustained effort beyond what volunteers can provide. Alpha-Omega's support helps ensure that the PSRT has the resources to maintain its growing responsibilities, adopt better tooling, and recruit new members, ultimately leading to a more resilient Python ecosystem.