Python Security Response Team: Governance Updates and How to Get Involved

The Python Security Response Team (PSRT) recently adopted a formal governance document (PEP 811) thanks to Security Developer-in-Residence Seth Larson. This document outlines team membership, responsibilities, and a clear onboarding process. The first new member under this process, Jacob Coffee, has already joined, marking a step forward in sustaining Python's security work. Below, we answer key questions about the PSRT and how you can contribute.

What recent governance changes have been made to the PSRT?

With the approval of PEP 811, the PSRT now operates under a public governance document. This includes a published list of members, documented duties for both members and admins, and a structured process for adding and removing members. The document also clarifies the relationship between the Python Steering Council and the PSRT, ensuring balanced oversight. These changes aim to improve transparency and sustainability while maintaining security.

Who is the newest PSRT member and how did they join?

Jacob Coffee, the PSF Infrastructure Engineer, is the first non-Release Manager to join the PSRT since Seth Larson became a member in 2023. Jacob's onboarding followed the new process outlined in PEP 811, demonstrating that the updated governance is already operational. This milestone highlights the team's commitment to bringing in fresh expertise beyond traditional core developer roles.

What is the primary role of the Python Security Response Team?

The PSRT is responsible for triaging and coordinating vulnerability reports and fixes for Python and related ecosystem projects. They ensure timely remediation while keeping stakeholders safe. In the past year alone, the team published 16 vulnerability advisories for CPython and pip—the highest annual count to date. The team often works with external maintainers to craft fixes that respect existing APIs, threat models, and long-term maintainability.

How does the PSRT coordinate with other open source projects?

When a vulnerability affects multiple projects, the PSRT coordinates with those projects to release synchronized advisories. This prevents the Python ecosystem from being caught off guard. A recent example is the PyPI ZIP archive differential attack mitigation, where cross-project collaboration ensured a coordinated response. Such efforts help protect the entire open source landscape.

How can someone join the Python Security Response Team?

The process mirrors the Core Team nomination process. An existing PSRT member must nominate you, and then at least two-thirds of current members must vote in favor. You do not need to be a core developer, team member, or triager. The team values diverse skills and perspectives beyond just code contributions.

Does joining the PSRT require being a core developer?

No, you do not need to be a core developer to join the PSRT. The team welcomes individuals with relevant security expertise, even if they aren't already part of the Python core development community. This inclusivity strengthens the team's capacity to handle a wide range of security challenges.

What funding supports the PSRT and its work?

The Alpha-Omega project sponsors Seth Larson's role as Security Developer-in-Residence at the Python Software Foundation. This funding directly supports security improvements for the Python ecosystem. Additionally, Seth and Jacob are working on better recognition systems for vulnerability reporters and coordinators, ensuring that behind-the-scenes contributions are acknowledged.