Overview
The Python Security Response Team (PSRT) is the frontline defense for the Python ecosystem, responsible for triaging, coordinating, and publishing vulnerability advisories. Thanks to recent governance reforms outlined in PEP 811—spearheaded by the Security Developer-in-Residence Seth Larson—the team now operates under a transparent, sustainable model. This guide walks you through the PSRT's structure, the new onboarding process, and exactly how you can become a member.
The PSRT is not a closed circle. With the adoption of PEP 811, the team now publishes a public list of members, defines clear responsibilities for both members and administrators, and has formal onboarding and offboarding procedures. This balances the need for security (keeping sensitive information restricted) with long-term sustainability. The relationship between the PSRT and the Python Steering Council is also clarified, ensuring alignment with the broader Python community.
Recent milestones include the onboarding of Jacob Coffee, the PSF Infrastructure Engineer, as the first non-"Release Manager" member since Seth joined in 2023. This demonstrates the new process in action, and more members are expected to join soon. The work is supported by Alpha-Omega, which sponsors Seth's role at the Python Software Foundation.
Prerequisites
Before considering a nomination, you should:
- Have a solid understanding of Python security practices, common vulnerabilities, and the CPython or pip codebases.
- Be an active contributor to the Python ecosystem—though you don't need to be a core developer, team member, or triager.
- Be prepared to handle sensitive information with discretion and follow strict embargo and disclosure protocols.
- Have a sponsor: an existing PSRT member who knows your work and is willing to nominate you.
No formal prerequisites are listed in the governance document, but practical experience in vulnerability triage or remediation is highly valued.
Step-by-Step Guide to Joining the PSRT
Step 1: Understand the Role and Responsibilities
The PSRT does not work alone. Coordinators involve maintainers and experts from affected projects. Your role would be to triage reports, coordinate fixes, and ensure that remedies adhere to existing API conventions, threat models, and minimize breaking changes. You may also coordinate with other open source projects to prevent cascading vulnerabilities—like the recent PyPI ZIP archive differential attack mitigation.
Step 2: Find a Nominator
You need an existing PSRT member to nominate you. Reach out to current members (listed publicly on the PSF website) to discuss your interest and contributions. Expect them to ask about your experience with security disclosures and your availability.
Step 3: Prepare Your Case
Your nominator will present your candidacy to the team. While not required, you may want to provide a summary of relevant work (e.g., security patches, vulnerability reports you've filed, involvement in Python security discussions).
Step 4: Nomination and Voting
Once nominated, the PSRT holds a private vote. The process is similar to the Core Team nomination. Your nomination must receive at least two-thirds positive votes from current PSRT members. If successful, you are formally onboarded and added to the public roster.
Step 5: Onboarding and Training
New members undergo a documented onboarding process. This includes familiarization with the PSRT's private communication channels, vulnerability tracking tools (e.g., GitHub Security Advisories), and the workflows for publishing CVEs and OSV records. The team is actively improving these workflows to give proper credit to reporters, coordinators, and remediation developers.
Step 6: Begin Contributing
Start by shadowing a coordinator on an active vulnerability report. Gradually take on more responsibility. The team encourages involving experts directly in the remediation process to ensure high-quality, maintainable fixes.
Common Mistakes
- Assuming you must be a core developer. The PSRT values security expertise over commit rights. Many members are not core devs.
- Neglecting to build relationships with existing members. A nomination requires sponsorship; don't expect to be nominated without prior interaction.
- Underestimating the time commitment. Security work is often urgent and can demand immediate attention during embargo periods.
- Sharing sensitive information prematurely. Even after joining, you must adhere to strict disclosure rules. Accidental leaks can harm the entire ecosystem.
- Focusing only on code fixes. The PSRT also handles coordination, communication, and advisory writing—equally important tasks.
Summary
The Python Security Response Team has matured into a well-governed body thanks to PEP 811. With transparent membership, clear roles, and a sustainable onboarding process, the PSRT is now more accessible to qualified security contributors. If you have a passion for Python security and are willing to work collaboratively, you can make a real difference—without needing to be a core developer. Start by engaging with the community, find a sponsor, and prepare to help keep the Python ecosystem safe. The recent addition of Jacob Coffee proves the system works, and more members are on the way.