Introduction
Security in open source doesn't happen by magic—it requires dedicated individuals and clear structures. The Python Security Response Team (PSRT) has taken a major step forward by formalizing its operations through a newly approved governance document, PEP 811. This change brings transparency, sustainability, and a clear path for new members to join the team. Here’s what’s new and how you can get involved.
PEP 811: A New Framework for Python Security
Thanks to the efforts of Seth Larson, the Security Developer-in-Residence at the Python Software Foundation (PSF), the PSRT now operates under a public governance document known as PEP 811. This document outlines the team's structure, responsibilities, and processes. For the first time, the PSRT publishes a public list of its members, documents the duties of members and admins, and establishes a formal onboarding and offboarding procedure. This ensures the team can balance the critical needs of security with long-term sustainability.
The governance also clarifies the relationship between the Python Steering Council and the PSRT, providing both teams with clear expectations and boundaries.
Onboarding in Action: Jacob Coffee Joins the Team
The new onboarding process is already bearing fruit. Jacob Coffee, the PSF Infrastructure Engineer, has become the first new non-Release Manager member to join the PSRT since Seth Larson joined in 2023. This is a significant milestone, demonstrating that the governance framework works as intended. We expect more members to follow, further strengthening the sustainability of Python’s security efforts.
What Does the PSRT Actually Do?
Security doesn’t happen by accident. The PSRT, composed of volunteers and paid PSF staff, triages and coordinates vulnerability reports and remediations. This work keeps all Python users safe. In the past year alone, the PSRT published 16 vulnerability advisories for CPython and pip—a record high in a single year.
The PSRT rarely works in isolation. Coordinators actively involve maintainers and domain experts in the remediation process. This collaboration ensures fixes adhere to existing API conventions, respect threat models, remain maintainable in the long term, and minimize disruption to users. Sometimes the team coordinates with other open source projects—such as the recent PyPI ZIP archive differential attack mitigation—to prevent widespread ecosystem impact.
Celebrating Behind-the-Scenes Work
Security contributions often go unnoticed because they happen behind closed doors. Seth Larson and Jacob Coffee are developing improvements to how GitHub Security Advisories record contributions. These changes will properly attribute reporters, coordinators, remediation developers, and reviewers in CVE and OSV records. This recognition is important—security work deserves the same celebration as source code or documentation contributions.
How Can You Join the PSRT?
If you’re inspired to directly help keep Python secure, the path is now clearer than ever. The process mirrors the Core Team nomination process. You need an existing PSRT member to nominate you, and then your nomination must receive at least two-thirds positive votes from current members.
Importantly, you do not need to be a core developer, team member, or triager to join. The PSRT values diverse skills and perspectives. If you have expertise in vulnerability analysis, coordination, or secure development, you could be a valuable addition.
Support from Alpha-Omega
This progress wouldn’t be possible without the support of Alpha-Omega, which sponsors Seth Larson’s work as the Security Developer-in-Residence at the PSF. Their investment underscores the importance of dedicated security roles in open source ecosystems.
Conclusion
The PSRT is stronger than ever thanks to PEP 811, a growing team, and a transparent process. Whether you’re a seasoned security expert or someone looking to contribute to a vital open source project, the door is open. Get involved, and help us keep Python safe for everyone.