Python Security Response Team Overhauls Governance, Welcomes First New Member in Two Years

Breaking: Python Security Response Team Adopts Public Governance, Expands Membership

The Python Security Response Team (PSRT) has officially adopted a public governance document, PEP 811, marking a major transparency shift for the group responsible for handling security vulnerabilities in the Python ecosystem. This governance overhaul comes alongside the onboarding of Jacob Coffee, the Python Software Foundation (PSF) Infrastructure Engineer, as the first new non–Release Manager member since 2023.

Python Security Response Team Overhauls Governance, Welcomes First New Member in Two Years

Background: The PSRT's Role and Evolution
For years, the PSRT operated without a formal, publicly visible charter, relying on informal processes and a small, closed group of mostly Release Managers. The team is tasked with triaging and coordinating vulnerability reports and remediation for CPython, pip, and related projects—a workload that has grown significantly. In 2024 alone, the PSRT published 16 vulnerability advisories, the highest annual total on record.

The need for a clear governance framework became urgent as the team sought to balance the confidentiality required for security work with the openness necessary for sustainable open-source maintenance. PEP 811 was drafted by Security Developer-in-Residence Seth Larson to address this.

What This Means for Python Ecosystem Security
The new governance document formalizes membership criteria, responsibilities, and a transparent onboarding/offboarding process. It also clarifies the relationship between the PSRT and the Python Steering Council, ensuring accountability without hampering rapid response. “This structure will help the team scale and retain institutional knowledge,” said Seth Larson. “By making our processes public, we invite trust and collaboration from the wider community.”

Jacob Coffee’s appointment demonstrates the process is already working. “The PSRT’s work is critical to keeping Python users safe,” Coffee said via a PSF blog post. “I’m excited to help strengthen this team and improve how we record contributions to vulnerability disclosures.”

The updated workflows, including better tracking of reporters and coordinators via GitHub Security Advisories, will ensure that contributors to privately coordinated fixes receive proper acknowledgment in CVE and OSV records.

How to Join the Python Security Response Team
The PSRT is now actively seeking new members—and the bar is lower than many assume. You do not need to be a CPython core developer or a triager. The process mirrors the Core Team nomination: an existing PSRT member must nominate you, followed by a confidential vote requiring at least two‑thirds approval from current members.

Ideal candidates bring expertise in security, vulnerability coordination, or a deep understanding of specific Python projects and their threat models. “We’re looking for people who can commit to the duty of protecting the ecosystem, not just those with a particular title,” added Larson. Security nominations are handled case by case, and the team especially encourages maintainers of critical packages to apply.

The PSF thanks Alpha-Omega for their continued support of Python ecosystem security, which funds Larson’s role as Security Developer-in-Residence. “This investment is paying off with real, structural improvements,” said a PSF representative. “A sustainable security team means safer code for millions of developers.”

For more details on the governance document, read PEP 811. To express interest in joining, reach out to any current PSRT member or contact the PSF security team directly.

Tags:

Python Security Response Team Overhauls Governance, Welcomes First New Member in Two Years

Breaking: Python Security Response Team Adopts Public Governance, Expands Membership

Related Articles

Recommended

Discover More