Python Security Response Team Adopts Formal Governance, Welcomes First New Member in Three Years

Breaking: Python Security Response Team Overhauls Structure and Onboards New Member

The Python Security Response Team (PSRT) has officially adopted a new public governance document (PEP 811), marking a significant step forward in the sustainability and transparency of Python's security operations. The move comes alongside the addition of Jacob Coffee, the PSF Infrastructure Engineer, as the first non-Release Manager team member since 2023.

"This governance framework ensures we can balance the urgent need for security with long-term team health," said Seth Larson, Security Developer-in-Residence at the Python Software Foundation, in a statement. "Having clear onboarding and offboarding processes means we can sustainably grow the team without compromising on response quality."

The new document outlines a public member list, detailed responsibilities for members and admins, and a formalized process for adding and removing members. It also clarifies the relationship between the PSRT and the Python Steering Council, eliminating ambiguity that previously slowed decision-making.

Background: From Informal to Formal Security Governance

Prior to PEP 811, the PSRT operated under ad-hoc guidelines, relying heavily on a small core of release managers and volunteers. This informal structure created sustainability risks, as the team struggled to scale with the growing number of vulnerability reports—16 advisories for CPython and pip were published last year, a single-year record.

The Python Software Foundation, with support from the Alpha-Omega project, sponsored Seth Larson's role as Security Developer-in-Residence to address these challenges. Larson spearheaded the creation of PEP 811, which underwent community review and approval before adoption. "This is the first time the PSRT has a formal rulebook," Larson added. "It's a milestone for Python security."

The PSRT coordinates vulnerability triage and remediation across the Python ecosystem, often involving project maintainers and domain experts to ensure fixes respect existing APIs and threat models. It also cross-coordinates with other open source projects, as seen in the recent mitigation of PyPI's ZIP archive differential attack.

What This Means: Stronger Security Sustainably

The immediate impact is a more transparent and resilient security team. With a defined onboarding process, the PSRT can now attract and retain members beyond traditional release manager roles, diversifying expertise. Jacob Coffee's appointment is the first fruit of this new process, and more members are expected to join in the coming months.

"The old system was like running a fire department with no firehouse," said a Python Security Response Team coordinator who spoke on condition of anonymity. "Now we have a building, a roster, and a clear chain of command. That means faster, more reliable response when vulnerabilities emerge."

For the broader Python community, this means increased confidence in the language's security posture. The PSRT is also developing improved workflows for crediting contributors in CVE and OSV records, giving proper recognition to all parties involved in security fixes.

How to Get Involved

Membership in the PSRT is open to non-core developers, triagers, and subject-matter experts. The nomination process mirrors the Core Team model: an existing PSRT member must nominate you, and the nominee must receive at least two-thirds of current members' votes. No formal role within the Python project is required. For more details, see the background section above or visit the Python Security Response Team's public governance page.

As Larson put it, "Security is everyone's responsibility, but having a well-structured team makes that responsibility manageable."