The Python Security Response Team (PSRT) is the backbone of Python's vulnerability management, but until recently, its inner workings were somewhat opaque. Thanks to the dedicated work of Security Developer-in-Residence Seth Larson and support from the Alpha-Omega project, the PSRT now operates under a new, transparent governance model. Below are eight essential updates that every Python developer, user, and contributor should know about the team's evolution, membership, and how you can become part of this critical security effort.
1. Public Governance Document Approved (PEP 811)
The PSRT has officially adopted a public governance document, codified as PEP 811. This move transforms the team from an informal group into a structured entity with clear rules. For the first time, the community can see exactly how the PSRT operates, who makes decisions, and how security processes are managed. PEP 811 was authored by Seth Larson and outlines the team's purpose, membership criteria, and decision-making procedures. This transparency builds trust and allows external contributors to understand how vulnerability reports are handled. It also sets a precedent for other open-source security teams to follow.
2. Clear Roles for Members and Admins
Under the new governance, every PSRT member has documented responsibilities. Members are expected to triage vulnerability reports, coordinate with project maintainers, and help draft security advisories. Administrators handle membership onboarding, offboarding, and escalate any disputes. Previously, roles were ambiguous, making it hard for volunteers to know what was expected. Now, the published list of members and their duties ensures accountability. This clarity also helps new members integrate faster, as they can immediately see where their skills fit the team's needs.
3. Streamlined Onboarding and Offboarding Process
Security teams must balance openness with the need for trust and confidentiality. PEP 811 introduces a formal process for adding and removing members. To join, an existing PSRT member must nominate you, followed by a vote requiring at least two-thirds approval. This ensures that only trusted individuals gain access to sensitive vulnerability information. Offboarding procedures handle inactive members or those who no longer meet requirements. This structured approach makes the team sustainable, reducing burnout and ensuring that the right people are always available to handle incidents.
4. Defined Relationship with Python Steering Council
The PSRT now has a clear line of reporting to the Python Steering Council, the project's highest governance body. The document specifies that the Steering Council approves any changes to the PSRT's charter or membership. In return, the PSRT provides regular updates on security trends and incidents. This formal connection ensures that security decisions align with the broader project's roadmap. It also elevates the PSRT's status, giving it the authority to act swiftly while remaining accountable to the community.
5. First New Non-Release Manager Member Since 2023
The PSRT recently welcomed Jacob Coffee, the PSF Infrastructure Engineer, as its first new member who is not a Release Manager. This marks a significant milestone; before 2023, only Release Managers could join. Jacob's addition demonstrates that the team is opening up to other experts. His infrastructure knowledge will help secure the Python Package Index (PyPI) and other core services. This expansion strengthens the team's capacity to address a wider range of security issues beyond just CPython releases.
6. Core Mission: Triage and Coordinate Vulnerability Reports
The PSRT's primary role is to triage and coordinate vulnerability reports for CPython, pip, and other critical Python projects. Last year, the team published 16 advisories—the most in a single year. They work closely with project maintainers to ensure fixes follow existing APIs and threat models, minimizing disruption. By involving domain experts early, the team creates patches that are both secure and maintainable. This collaborative approach has been key to handling increasingly complex vulnerabilities without breaking backward compatibility.
7. Cross-Project Coordination for Ecosystem Security
Python's security extends beyond its own codebase. The PSRT often coordinates with other open-source projects to avoid ecosystem-wide surprises. A recent example is the PyPI ZIP archive differential attack mitigation, where the team worked with PyPI maintainers to address a vulnerability that could affect many projects. This cross-project collaboration ensures that when a fix is released, it doesn't inadvertently expose other parts of the Python ecosystem. The PSRT serves as a central hub for such coordination, reducing the risk of cascade failures.
8. Proper Credit for Security Contributors
Security work often goes unrecognized because it happens behind closed doors. Seth Larson and Jacob Coffee are developing improvements to GitHub Security Advisories workflows that will record the reporter, coordinator, and developer in CVE and OSV records. This means everyone who contributes to a fix will receive proper credit, just like code contributors. By making security contributions visible, the PSRT hopes to attract more volunteers and show that security work is valued as much as feature development.
If you're inspired by these developments, consider joining the PSRT. You don't need to be a core developer—just a strong background in security and a nomination from an existing member. The new governance makes it easier than ever to get involved. Together, we can keep Python safe for everyone.