Exploring the Python Security Response Team: Governance, Growth, and How to Get Involved
The Python Security Response Team (PSRT) plays a critical role in protecting the Python ecosystem. With recent governance improvements, new members, and clearer processes, the team is more transparent and sustainable than ever. Below, we answer key questions about the PSRT, its recent developments, and how you can contribute.
What is the Python Security Response Team and why is it important?
The Python Security Response Team (PSRT) is a dedicated group of volunteers and paid Python Software Foundation staff who handle vulnerability reports and coordinate remediation efforts for the Python ecosystem. They triage security issues, develop patches, and ensure that fixes are released promptly to keep all Python users safe. In the past year alone, the PSRT published 16 vulnerability advisories for CPython and pip—the highest number ever in a single year. This work is essential because security doesn’t happen by accident; it requires careful coordination and expertise. The PSRT often works with project maintainers and subject-matter experts to craft fixes that respect existing APIs, threat models, and long-term maintainability, minimizing disruption for the millions of developers relying on Python.
What recent governance changes has the PSRT made?
Thanks to the efforts of Security Developer-in-Residence Seth Larson, the PSRT now operates under an approved public governance document known as PEP 811. This new framework introduces a clear organizational structure: the team publishes a public list of members, defines explicit responsibilities for both members and admins, and establishes a formal process for onboarding and offboarding members. These changes balance the need for security (confidentiality during vulnerability handling) with sustainability (ensuring the team can grow and renew itself). The document also clarifies the relationship between the Python Steering Council and the PSRT, making it easier to resolve disputes and align priorities. This governance update marks a significant step toward long-term resilience for Python security efforts.
Who has recently joined the PSRT and what does this mean for the team?
Jacob Coffee, the PSF Infrastructure Engineer, has joined the PSRT as the first non–Release Manager member since Seth Larson himself joined in 2023. This milestone demonstrates that the new onboarding process defined in PEP 811 is already working. Jacob brings valuable infrastructure expertise, which will help the PSRT improve how it handles security advisories, tracks contributors, and coordinates with platforms like GitHub and OSV. His addition signals a broader effort to recruit diverse skills beyond the traditional Release Manager role, strengthening the team’s ability to sustain high-quality security work. The PSF expects more new members to follow, further bolstering the Python ecosystem’s security posture.
How does the PSRT handle vulnerability reports and coordinate fixes?
When a vulnerability is reported, PSRT coordinators assess the issue and involve the most relevant project maintainers and experts. This collaborative approach ensures that fixes conform to existing API conventions, threat models, and long-term maintainability while minimizing impact on existing use cases. The PSRT also leverages GitHub Security Advisories to record detailed information about the reporter, coordinator, and remediation developers. Seth and Jacob are working on further improvements to these workflows, aiming to automatically attribute credit in CVE and OSV records. This transparency not only properly thanks everyone involved in otherwise private contributions, but also encourages recognition of security work as a valuable form of open source contribution—just as important as writing code or documentation.
How does the PSRT collaborate with other open source projects?
Sometimes a vulnerability affects multiple projects across the Python ecosystem. To prevent surprises, the PSRT coordinates with other open source teams before publicly disclosing an advisory. A recent example is the PyPI ZIP archive differential attack mitigation, where the PSRT worked with PyPI and other projects to develop and release a coordinated fix. This cross-project collaboration helps ensure that patches are compatible and that downstream users can update all affected dependencies at once. By involving experts from related projects early in the remediation process, the PSRT reduces the risk of incomplete fixes and maintains the overall health of the open source supply chain. The team’s governance document supports these inter-project relationships as a key part of its mission.
How can someone join the Python Security Response Team?
If you’re interested in directly contributing to Python security, the process is similar to the Core Team nomination system. You need an existing PSRT member to nominate you, and the nomination must receive at least two-thirds positive votes from current PSRT members. Importantly, you do not need to be a core developer, team member, or triager to be considered—the PSRT values diverse expertise. Whether you have experience in security analysis, infrastructure, project management, or a related field, your skills may be needed. The team is actively seeking new members to increase sustainability and ensure that the workload of handling vulnerabilities does not fall on a small group. If you work closely with Python security or have demonstrated commitment to the ecosystem, consider reaching out to a PSRT member to start the conversation.