Python Security Response Team Gains Formal Governance and First New Member in Two Years

Python Security Response Team Overhauls Operations with New Governance Framework

The Python Security Response Team (PSRT) has officially adopted a formal governance document (PEP 811) and announced its first new member since 2023, marking a significant milestone in the sustainability of Python's security efforts.

Jacob Coffee, the Python Software Foundation's Infrastructure Engineer, has joined the PSRT as the first non-"Release Manager" member since Seth Larson's appointment as Security Developer-in-Residence last year. Coffee's onboarding follows the newly approved public governance structure.

Governance Details Unveiled

PEP 811, now publicly available, establishes clear roles and responsibilities for PSRT members and administrators. The document outlines a defined process for both onboarding and offboarding team members, balancing security needs with long-term sustainability.

"This governance framework ensures that our security response team can scale effectively while maintaining the trust of the Python community," said Seth Larson, Security Developer-in-Residence at the PSF. "The transparent membership list and documented decision-making processes are critical for accountability."

The document also clarifies the relationship between the Python Steering Council and the PSRT, ensuring that strategic oversight and operational security work remain aligned.

Urgent Need for Sustainability

Security vulnerabilities pose an urgent threat to the Python ecosystem, which powers millions of applications worldwide. In the past year alone, the PSRT published 16 advisories for CPython and pip — the most in a single year to date. The team coordinates with external maintainers and projects to mitigate risks without disrupting existing workflows.

"The volume of vulnerability reports has grown dramatically, and having a proper governance model is essential to keep up," added Larson. "Without this structure, we risk burnout and delayed responses."

Background: From Ad-Hoc to Formalized Security

Before PEP 811, the PSRT operated with informal processes and no public membership list. The team relied heavily on a small group of volunteer Release Managers. The new governance document, supported by funding from Alpha-Omega, aims to professionalize security operations while preserving the volunteer-driven ethos.

The onboarding of Jacob Coffee demonstrates the new process in action. Coffee will bring infrastructure expertise to vulnerability triage and remediation, helping to implement improvements like GitHub Security Advisory workflows that credit all contributors — reporters, coordinators, and patch developers.

What This Means: A Stronger, More Sustainable Security Response

The formal governance structure allows the PSRT to attract and retain diverse talent beyond core developers. Members no longer need to be Release Managers or core team members; any qualified individual can be nominated by an existing member and approved by a two-thirds vote.

"This opens the door for security experts, infrastructure engineers, and researchers to contribute directly to Python's safety," said Jacob Coffee in a statement. "We're building a team that can handle the growing complexity of threats."

The addition of Coffee also signals a shift toward professional support for security work, reducing reliance on overstretched volunteers. Combined with the governance document's clarity, the Python ecosystem is better positioned to respond to future vulnerabilities without sacrificing speed or quality.

How to Get Involved

The PSRT is actively seeking new members. The nomination process requires a sponsor from the existing team and a two-thirds majority vote. Those interested are encouraged to contact a current PSRT member to discuss potential contributions.

"Security is a shared responsibility," Larson emphasized. "We need more hands on deck — and now we have the processes to bring them in sustainably."

For more details, visit the PEP 811 page and the PSRT membership list.