The Python Security Response Team (PSRT) has recently undergone significant structural changes to improve transparency, sustainability, and community involvement. With the approval of PEP 811, the team now operates under a formal governance document, publishes its membership publicly, and has clear processes for onboarding and offboarding members. This Q&A explores the PSRT's role, recent updates, and how you can contribute to Python's security.
What is the Python Security Response Team (PSRT) and why is it important?
The PSRT is a dedicated group of volunteers and paid Python Software Foundation staff who triage, coordinate, and remediate vulnerability reports affecting the Python ecosystem. Their work is critical to keeping all Python users safe. In 2023 alone, the team published a record 16 vulnerability advisories for CPython and pip, the highest annual count to date. Beyond handling reports, PSRT members often collaborate with project maintainers and experts to ensure fixes align with existing API conventions, are maintainable long-term, and minimize disruption to users. This coordinated approach helps maintain the integrity and trustworthiness of the Python programming language.
What governance changes has the PSRT recently adopted?
Thanks to the efforts of Security Developer-in-Residence Seth Larson, the PSRT now has an approved public governance document known as PEP 811. This document formally outlines the team's structure, including a public list of members, clear responsibilities for both members and admins, and defined onboarding and offboarding procedures. It also clarifies the relationship between the Python Steering Council and the PSRT, ensuring that security decisions are made with proper oversight. These changes balance the needs of security (which often requires confidentiality) with the sustainability of the team, making it easier to bring in new members and maintain long-term operational capacity.
How did Jacob Coffee recently join the PSRT and what does this signify?
Jacob Coffee, the PSF Infrastructure Engineer, joined the PSRT as the first new non-Release Manager member since Seth Larson himself joined in 2023. His onboarding followed the new governance process outlined in PEP 811, demonstrating that the updated procedures are already effective. This milestone is significant because it shows the PSRT can now bring in specialized expertise beyond traditional release management roles, bolstering the team's sustainability. More new members are expected to follow, strengthening Python's security response capacity and ensuring the work doesn't rely solely on a small group of volunteers.
How does the PSRT coordinate vulnerability responses with other projects?
The PSRT frequently collaborates with other open source projects to prevent unexpected disruptions when a vulnerability affects multiple ecosystems. For example, in the case of PyPI's ZIP archive differential attack mitigation, the team worked with upstream projects to coordinate disclosure and remediation timelines. This cross-project coordination ensures that when a security advisory is published, all affected communities are prepared and can deploy fixes simultaneously. By involving experts from the relevant projects directly in the remediation process, the PSRT helps maintain API stability, threat-model accuracy, and long-term maintainability of fixes while minimizing impact on existing use cases.
How are security contributions recognized and celebrated?
Security work often happens behind closed doors due to confidentiality requirements, but the PSRT is working to change that. Seth Larson and Jacob Coffee are developing improvements to workflows using GitHub Security Advisories to properly record and attribute everyone involved in a vulnerability response: the reporter, coordinator, remediation developers, and reviewers. These attributions will be embedded in CVE and OSV records, ensuring that contributions to security are recognized publicly alongside source code and documentation contributions. This shift aims to celebrate the often invisible work that keeps Python safe and encourage more people to participate in security efforts.
How can someone join the Python Security Response Team?
Joining the PSRT is similar to the Core Team nomination process. You need an existing PSRT member to nominate you, and your nomination must receive at least two-thirds positive votes from current members. Importantly, you do not need to be a core developer, team member, or triager to be considered—the PSRT values diverse expertise and perspectives. If you are passionate about Python security and have relevant skills (e.g., vulnerability analysis, incident response, or infrastructure), reach out to a current PSRT member to discuss a potential nomination. The new governance structure makes the process more transparent and welcoming.
Who funds and supports the PSRT's work?
The PSRT is supported by both volunteer contributions and paid staff. A key sponsor is Alpha-Omega, which funds Seth Larson's role as Security Developer-in-Residence at the Python Software Foundation. This sponsorship enables dedicated, sustained security work that would be difficult to achieve with volunteers alone. The PSF also contributes infrastructure and staff time, including Jacob Coffee's recent addition to the team. This collaborative funding model helps ensure the Python ecosystem remains secure and resilient against emerging threats.