How to Join the Python Security Response Team: A Step-by-Step Guide
Introduction
The Python Security Response Team (PSRT) is the front line of defense for the Python ecosystem. Thanks to the recent approval of PEP 811, the team now has a transparent governance structure, published membership lists, clear responsibilities, and a formal onboarding process. This update was driven by Seth Larson, the Security Developer-in-Residence at the Python Software Foundation, with support from Alpha-Omega. The new process is already bearing fruit: Jacob Coffee, the PSF Infrastructure Engineer, recently became the first non-Release Manager member to join since Seth in 2023. This guide will walk you through the steps to become a member of the PSRT and contribute to Python’s security.
What You Need
Before you begin, ensure you have the following:
- Familiarity with Python security – understanding of vulnerability triage, CVEs, and coordinated disclosure.
- Active participation in the Python community – contributions to CPython, pip, or related projects are beneficial.
- An existing PSRT member to nominate you – the nomination process requires a sponsor from the current team.
- No requirement to be a core developer – the PSRT welcomes contributors from diverse backgrounds.
- Patience and commitment – the nomination and voting process takes time.
Step-by-Step Guide
Step 1: Understand the PSRT’s Role and Responsibilities
Read the newly approved PEP 811 to understand the team’s governance, membership criteria, and responsibilities. The PSRT triages and coordinates vulnerability reports, publishes advisories (16 in the last year for CPython and pip), and works with maintainers to ensure fixes are sustainable. You should also be aware of the relationship between the PSRT and the Python Steering Council as outlined in the PEP.
Step 2: Get Involved in the Python Security Community
Start contributing to security-related discussions on the Python Security mailing list, attend weekly triage meetings if available, and help with vulnerability reports or patches. Building trust and visibility with current PSRT members is key. You can also contribute to tools like GitHub Security Advisories and OSV records to get hands-on experience.
Step 3: Find a PSRT Member to Nominate You
The nomination process (similar to the Core Team nomination process) requires an existing PSRT member to sponsor you. Approach someone whose work you admire and who knows your contributions. Explain why you want to join and how you can help the team achieve its goals of sustainability and security.
Step 4: Prepare Your Nomination
Work with your sponsor to compile a brief summary of your security contributions, relevant experience, and motivation. The nomination will be presented to the full PSRT for evaluation. There is no formal application form—nominations are typically brought up during team meetings or via private discussion.
Step 5: Submit the Nomination
Your sponsor will formally submit your nomination to the PSRT. The team will then review your background and may ask questions. Ensure all documentation is clear and concise.
Step 6: Await the Voting Process
Once submitted, the PSRT votes on your nomination. A two-thirds (⅔) positive vote from existing members is required for approval. The process may take several weeks as members discuss and vote asynchronously.
Step 7: Complete Onboarding
If accepted, you’ll go through the new onboarding process documented in PEP 811. You’ll gain access to private communication channels, receive a formal welcome, and learn about your responsibilities as a coordinator. The PSRT encourages involving experts from the broader community when needed, so you’ll be part of a collaborative effort to keep Python secure.
Tips for a Successful Application
- Show, don’t just tell – active contributions, such as helping with past vulnerability advisories or code fixes, speak louder than intent.
- Understand the sustainability aspect – the PSRT balances security needs with team capacity; be realistic about your available time.
- Collaborate with others – the team often coordinates with external maintainers and projects (e.g., the recent PyPI ZIP archive attack mitigation). Highlight your ability to work across boundaries.
- Celebrate the work – security contributions often go unrecognized. The team is improving attribution in CVE and OSV records to thank all involved. This culture of recognition is important.
- Be patient – the PSRT is a small, dedicated team. They may take time to respond due to the sensitive nature of their work.
Joining the Python Security Response Team is a meaningful way to protect millions of developers worldwide. With the new governance in place, the path is clearer than ever. Start building your security expertise today and connect with the team to make a difference.