Introduction

The Python Security Response Team (PSRT) has taken a significant step forward with the approval of a formal governance document, PEP 811. This milestone, championed by Security Developer-in-Residence Seth Larson, establishes a transparent framework for team operations, membership, and accountability. The new structure not only clarifies the PSRT's relationship with the Python Steering Council but also ensures the team can sustainably handle the growing number of vulnerability reports. Recently, the PSF Infrastructure Engineer Jacob Coffee became the first non-Release Manager member to join since Seth in 2023, demonstrating the effectiveness of the updated onboarding process. With support from Alpha-Omega, the Python ecosystem is better equipped to address security challenges.

Governance Modernization: PEP 811 in Action

Public Documentation and Clear Roles

PEP 811 provides the PSRT with a publicly available governance document that outlines member responsibilities, administrative duties, and a defined process for adding or removing members. This transparency helps balance the need for security (limiting sensitive information leaks) with the sustainability of the volunteer-driven team. The document also explicitly defines the relationship between the PSRT and the Python Steering Council, ensuring aligned decision-making.

First New Member Under the New Process

Jacob Coffee’s appointment as an infrastructure engineer at the PSF marks a successful test of the new onboarding mechanism. His role focuses on maintaining the Python infrastructure, making his security expertise valuable for triaging and remediating vulnerabilities. This addition strengthens the team’s capacity to handle reports without overburdening existing members.

The PSRT’s Vital Role in Python Security

Vulnerability Triage and Advisory Publication

Security doesn’t happen by accident. The PSRT works continuously to triage incoming vulnerability reports, coordinate with maintainers, and publish advisories. In the past year alone, the team released 16 advisories for CPython and pip—the highest annual count ever. Each advisory helps Python users worldwide stay protected.

Coordinating with Project Maintainers

When a report comes in, PSRT coordinators involve the relevant project experts—core developers, submodule maintainers, or security specialists. This collaborative approach ensures fixes respect existing API conventions, threat models, and long-term maintainability, while minimizing disruption to users.

Cross-Project Coordination

Vulnerabilities often affect multiple open source projects. The PSRT proactively coordinates with other ecosystems to avoid surprise disclosures. A recent example is the mitigation of a ZIP archive differential attack in PyPI, which required synchronized patches across several tools.

Recognition and Workflow Improvements

Contributions to security deserve as much recognition as code commits or documentation. Seth Larson and Jacob Coffee are enhancing workflows based on GitHub Security Advisories to automatically attribute reporters, coordinators, and remediation developers in CVE and OSV records. This ensures everyone involved in the private process receives proper credit.

How to Join the Python Security Response Team

If you’re passionate about making Python more secure, consider becoming a PSRT member. The nomination process mirrors the Core Team nomination: an existing member must nominate you, and at least two-thirds of current PSRT members must vote in favor. You do not need to be a core developer or maintainer—diverse backgrounds are welcome.

The team encourages applications from individuals with expertise in security, infrastructure, or project maintenance. By joining, you help sustain the security of Python for everyone.

Conclusion

The Python Security Response Team is evolving to meet the demands of a growing ecosystem. With clear governance, a dedicated Security Developer-in-Residence, and a new onboarding pipeline, the PSRT is better positioned than ever to protect Python users. The addition of Jacob Coffee and the support from Alpha-Omega signal a bright future for security in the Python community. If you’re interested in contributing, reach out to a current member—your expertise could make a difference.