10 Key Facts About the Python Security Response Team

The Python Security Response Team (PSRT) plays a critical role in keeping the Python ecosystem safe. From triaging vulnerabilities to coordinating fixes, the team's work often goes unnoticed. But recent changes, including a formal governance document and new members, have brought the PSRT into the spotlight. Whether you're a developer, a security enthusiast, or just curious about how Python handles vulnerabilities, here are ten essential things you should know about the PSRT and how you can get involved.

1. What Is the Python Security Response Team?

The Python Security Response Team (PSRT) is a group of volunteers and paid Python Software Foundation (PSF) staff dedicated to handling security vulnerabilities in the Python programming language. They triage incoming vulnerability reports, coordinate with maintainers to develop patches, and publish advisories. Their work ensures that over 16 million Python users stay protected. Without the PSRT, vulnerabilities could go unaddressed, putting countless projects at risk. The team's efforts extend beyond CPython to include tools like pip and other core ecosystem components.

2. PEP 811 Established Formal Governance

Thanks to Seth Larson, the Security Developer-in-Residence, the PSRT now operates under a formal governance document: PEP 811. This document outlines the team's structure, including a public list of members, clearly defined responsibilities for both members and admins, and a transparent process for onboarding and offboarding. The goal is to balance security needs with long-term sustainability. PEP 811 also clarifies the relationship between the PSRT and the Python Steering Council, ensuring alignment with broader community governance.

3. First New Member in Years Joins the Team

The new onboarding process is already bearing fruit. Jacob Coffee, the PSF Infrastructure Engineer, has joined the PSRT as the first non-Release Manager member since Seth Larson joined in 2023. This milestone demonstrates that the team is opening up to a wider range of expertise. Jacob's role in infrastructure brings fresh perspective to vulnerability coordination. His addition signals a commitment to sustainability, ensuring the PSRT isn't solely reliant on release managers for security work.

4. Record Number of Advisories Published Last Year

In 2023, the PSRT published 16 vulnerability advisories for CPython and pip—the highest number in a single year to date. This reflects both increased security scrutiny and the team's growing capacity to handle disclosures. Each advisory involves careful coordination with developers, affected projects, and sometimes downstream distributions. The record year underscores the importance of having a dedicated security team at a time when open-source ecosystems face escalating threats.

5. Security Developer-in-Residence Role

Supported by a generous grant from Alpha-Omega, Seth Larson serves as the Security Developer-in-Residence at the PSF. This role is dedicated to improving Python's security posture, and a major output has been the governance framework (PEP 811). Seth's position enables focused work on security tooling, process improvements, and mentoring new security contributors. The residency model has proven effective in other open-source projects and is now strengthening Python's defenses.

6. Involving Maintainers and Experts in Remediations

The PSRT rarely works in isolation. When a vulnerability is reported, coordinators reach out to the maintainers and experts of the affected project or submodule. This collaborative approach ensures that fixes respect existing API conventions, follow proper threat models, and remain maintainable over time. It also minimizes disruption to existing codebases. By involving domain experts directly, the team produces patches that are both secure and practical for long-term use.

7. Coordinating with Other Open-Source Projects

Sometimes a vulnerability affects multiple projects beyond Python. The PSRT actively coordinates with other open-source communities to publish advisories that don't catch the ecosystem off-guard. A notable example is the ZIP archive differential attack mitigation in PyPI. This kind of cross-ecosystem coordination is vital for protecting supply chains. It ensures that when one project releases a fix, others are ready to respond, reducing the window of exposure for users.

8. Recognition for Private Security Contributions

Security work often remains invisible because details are disclosed privately. Seth and Jacob are developing improvements to GitHub Security Advisories to record everyone involved—from reporters and coordinators to remediation developers and reviewers. This information flows into CVE and OSV records, giving proper credit to contributors. Recognizing these contributions not only acknowledges effort but also incentivizes more people to participate in security work, which historically lacks the visibility of feature development.

9. How to Join the PSRT

Interested in directly helping secure Python? The process mirrors the Core Team nomination procedure. You need an existing PSRT member to nominate you, and your nomination must receive at least two-thirds positive votes from current members. Importantly, you don't need to be a core developer, team member, or triager. Anyone with relevant security or engineering expertise can be nominated. The open process aims to bring diverse skills into the team while maintaining trust and accountability.

10. The Future of PSRT Sustainability

With the new governance structure and a growing roster of members, the PSRT is building a sustainable foundation for security response. The involvement of Alpha-Omega, the addition of Jacob Coffee, and the continued work of volunteers point toward a robust future. The team is also exploring better tools and workflows to handle an increasing volume of reports. As the Python ecosystem expands, so does the need for a dedicated security response capability—and the PSRT is evolving to meet that challenge.

The Python Security Response Team operates quietly but effectively, ensuring that vulnerabilities are addressed before they can cause harm. From formal governance to cross-project coordination, each improvement makes Python safer for everyone. Whether you join as a member or simply stay informed, understanding the PSRT's work is a step toward a more secure open-source world. Learn how you can get involved and help shape the future of Python security.