Everything You Need to Know About the Python Security Response Team

The Python Security Response Team (PSRT) has recently undergone significant reforms to improve transparency, sustainability, and public engagement. With a new governance document (PEP 811) now approved, the team has formalized its membership, responsibilities, and onboarding procedures. These changes were championed by Seth Larson, the Security Developer-in-Residence at the Python Software Foundation (PSF), and are already bearing fruit—most notably with the addition of Jacob Coffee as the first non-Release Manager member since 2023. Below, we answer common questions about the PSRT, its new structure, and how you can get involved.

What is the Python Security Response Team (PSRT) and what do they do?

The PSRT is a dedicated group of volunteers and paid PSF staff who handle all security vulnerabilities affecting the Python ecosystem. Their core tasks include triaging incoming reports, coordinating with project maintainers to develop patches, and publishing advisories (like CVEs) to protect users. In 2023, the team issued a record 16 vulnerability advisories for CPython and pip. The PSRT also works behind the scenes to ensure fixes are maintainable, respect API conventions, and minimize disruption to existing code. By involving domain experts in the remediation process, they maintain high security standards without breaking the Python community's trust. Their work is critical to keeping Python safe for millions of developers worldwide.

Everything You Need to Know About the Python Security Response Team

What recent changes have been made to the PSRT governance structure?

The approval of PEP 811 marks a major overhaul. The PSRT now operates under an explicit public governance document that clarifies:

A public members list so the community knows who is on the team.
Formal responsibilities for both members and admins.
A clear onboarding and offboarding process to balance security needs with team sustainability.
The relationship between the Python Steering Council and the PSRT.

This new structure makes the team more accountable and easier to join. It already enabled Jacob Coffee to become the first non-Release Manager member since 2023, proving the process works. The nomination and voting system ensures candidates are vetted by existing members while encouraging fresh perspectives.

How does the PSRT handle vulnerability reporting and coordination?

When a vulnerability is reported, the PSRT assigns a coordinator who involves the relevant maintainers and experts. This collaborative approach ensures that fixes align with the project's threat model, API conventions, and long-term maintainability. The goal is to minimize impact on existing use cases while properly addressing the security issue. The PSRT also coordinates with other open source projects when a vulnerability affects multiple ecosystems. For example, they helped mitigate a ZIP archive differential attack on PyPI. All this work is often carried out in private until a patch is ready, after which advisories are published. The team uses GitHub Security Advisories to track reporters, coordinators, and remediation contributors.

Who can join the PSRT and what is the nomination process?

You do not need to be a core developer, team member, or triager to join the PSRT. The process mirrors the Core Team nomination procedure: an existing PSRT member must nominate you, and the nomination must receive at least a ⅔ positive vote from current members. This ensures that new members are trusted by the team while keeping the door open to diverse backgrounds—whether you are a security researcher, infrastructure engineer, or just a dedicated community member. The goal is to strengthen the team's sustainability and bring in fresh expertise. If you're interested, start by engaging with current PSRT members (they are listed on the public roster) and contributing to security-related discussions in the Python community.

How does the PSRT collaborate with other open source projects?

Security vulnerabilities often span multiple projects. The PSRT proactively reaches out to maintainers of affected projects to coordinate disclosure and patch releases. This prevents the Python ecosystem from being caught off-guard. A notable example is the PyPI ZIP archive differential attack where the PSRT worked with PyPI maintainers to implement mitigations. By sharing information early and respecting each project's release cadence, the team helps ensure that fixes are deployed simultaneously (or nearly so), reducing the window of risk. This collaborative ethos extends to tooling: the PSRT uses standards like CVE and OSV to record contributions, giving credit to all involved across projects.

How are contributions to security work recognized?

Up until recently, security contributions often went unacknowledged due to the private nature of vulnerability handling. That's changing. Seth Larson and Jacob Coffee are improving workflows to record reporters, coordinators, and remediation developers in CVE and OSV records via GitHub Security Advisories. This means everyone who contributes—whether they write code, review patches, or coordinate disclosure—will be properly thanked. The PSRT wants to celebrate security work just like any other open source contribution. Public recognition also incentivises more people to help, which is vital for the sustainability of Python's security.

What impact has the Alpha-Omega sponsorship had on Python security?

Alpha-Omega funded Seth Larson's role as the Security Developer-in-Residence at the PSF. This sponsorship made possible the governance reforms in PEP 811, the public membership list, and the streamlined onboarding process that brought Jacob Coffee onto the team. Without this support, the PSRT would have remained a smaller, less transparent group. The funding has directly increased the sustainability of security work by allowing dedicated staff to focus on process improvements and recruitment. As a result, Python's security posture is stronger than ever, with record numbers of advisories published and a growing team ready to meet future challenges.