The Python Security Response Team: 7 Key Facts You Should Know

The Python Security Response Team (PSRT) is the unsung guardian of one of the world’s most popular programming languages. From triaging critical vulnerabilities to coordinating with project maintainers, the PSRT ensures that Python remains secure for millions of developers. But how does this team operate, and how can you get involved? Here are 7 essential facts that reveal the inner workings, recent improvements, and opportunities within the PSRT.

1. A New Public Governance Document (PEP 811)

The PSRT recently achieved a major milestone with the official approval of PEP 811, a comprehensive governance document that brings transparency and accountability to the team. This document, largely championed by Security Developer-in-Residence Seth Larson, lays out the team’s structure, responsibilities, and decision-making processes. For the first time, the PSRT now publishes a public list of its members, clearly defines the duties of both members and admins, and establishes a formal relationship with the Python Steering Council. This level of openness not only builds trust with the community but also sets a new standard for security teams in open source projects.

The Python Security Response Team: 7 Key Facts You Should Know

2. Streamlined Onboarding and Offboarding

Security teams must balance confidentiality with sustainability. The PSRT’s new governance introduces a clearly defined process for adding and removing members, ensuring that sensitive access is manage while encouraging new blood. This process is already in action: Jacob Coffee, the PSF Infrastructure Engineer, has just become the first non-"Release Manager" member to join the PSRT since Seth Larson in 2023. This onboarding marks a positive step toward a more diverse and sustainable team, and the PSRT expects more new members to follow. The structured approach helps maintain continuity while allowing the team to scale as security challenges grow.

3. A Clear Relationship with the Python Steering Council

One significant clarification in PEP 811 is the defined relationship between the PSRT and the Python Steering Council. The Steering Council retains oversight of the PSRT’s activities, providing strategic guidance and approval for major decisions. In return, the PSRT operates with a degree of autonomy necessary for handling vulnerability reports confidentially. This separation ensures that security decisions are made quickly by experts while still aligning with the broader direction of the Python language. The document also outlines how conflicts or escalations are handled, reducing ambiguity and ensuring accountability.

4. What the PSRT Actually Does (And Why It Matters)

Security doesn’t happen by accident. The PSRT’s core mission is to triage, coordinate, and publish vulnerability reports affecting CPython, pip, and other key Python components. In the last year alone, the team published 16 vulnerability advisories — the highest number in a single year to date. Each advisory involves verifying the issue, developing a fix, coordinating with package maintainers, and communicating the risk to users. The team works behind the scenes to ensure that patches are released quickly and responsibly. Without the PSRT, many critical vulnerabilities could go unaddressed, leaving the Python ecosystem exposed.

5. Collaboration with Maintainers and Other Projects

The PSRT rarely works alone. To ensure fixes are robust, the team actively involves project maintainers and subject-matter experts in the remediation process. This collaboration ensures that patches respect existing APIs, follow threat models, and remain maintainable over the long term. Additionally, the PSRT coordinates with other open source projects when a vulnerability crosses ecosystem boundaries. A recent example is the PyPI ZIP archive differential attack mitigation, where the PSRT worked with PyPI maintainers to prevent a widespread attack. This cross-project cooperation is vital in a connected software world.

6. Recognition for Behind-the-Scenes Contributors

Contributions to security are often invisible, but the PSRT is changing that. Seth Larson and Jacob Coffee are developing improvements to GitHub Security Advisories that will record every contributor — from reporters to coordinators to remediation developers — in the final CVE and OSV records. This means that those who help make Python safer will finally receive proper credit, just like code committers or documentation writers. This initiative not only encourages more people to get involved but also celebrates the collaborative nature of security work.

7. How You Can Join the PSRT

If the above has inspired you to contribute directly to Python security, the path is now clearer than ever. The nomination process is similar to the Core Team nomination: an existing PSRT member must nominate you, and your nomination receives at least a two-thirds positive vote from current members. Importantly, you do not need to be a core developer, triager, or release manager to apply. Anyone with a proven commitment to Python security and the ability to handle confidential information is welcome. The team values diverse expertise, from security engineering to infrastructure to code review. If you’re interested, start by engaging with the community and expressing your desire to help.

The Python Security Response Team is more than a gatekeeper — it’s a model for how open source security teams can operate with transparency, sustainability, and community support. With the new governance in place and a growing team, the PSRT is poised to meet future threats head-on. Whether you’re a seasoned security researcher or an enthusiastic Pythonista, there has never been a better time to learn about — or even join — this vital team.

Tags: