Python Security Response Team: New Governance, New Member, and How You Can Contribute

By

A New Era for Python Security

The Python Security Response Team (PSRT) has long been the backbone of vulnerability management for the Python ecosystem. Until recently, its operations were largely informal, relying on the dedication of volunteers and staff. That changes now with the approval of PEP 811, a public governance document that formalizes the PSRT’s structure, membership, and processes. In a welcome sign of momentum, the PSF’s Infrastructure Engineer, Jacob Coffee, has also just become the first non-Release Manager to join the team since Seth Larson’s arrival in 2023.

PSRT Gets a Formal Governance Document (PEP 811)

Thanks to the work of Seth Larson, the Security Developer-in-Residence at the Python Software Foundation, PEP 811 is now officially adopted. This document brings several key improvements:

• Public membership list: For the first time, everyone can see who is on the PSRT.
• Clear responsibilities: Both members and administrators now have documented duties, ensuring accountability.
• Defined onboarding and offboarding: The new process balances the need for security (vetting new members) with sustainability (preventing burnout by rotating members).
• Relationship with the Steering Council: The document clarifies how the PSRT interacts with Python’s highest decision-making body, avoiding confusion during incident response.

This governance overhaul is already proving its worth, as it has enabled a smooth addition of a new member without compromising security practices.

First New Member Under Revised Process: Jacob Coffee

Jacob Coffee, the PSF Infrastructure Engineer, has joined the PSRT as the first non-"Release Manager" member since Seth himself joined in 2023. His expertise in infrastructure will be invaluable for handling vulnerabilities that affect packaging, distribution, and runtime environments. Expect more new members in the coming months, further strengthening the team’s ability to handle security work sustainably.

What the Python Security Response Team Does

Security doesn’t happen by accident. The PSRT triages incoming vulnerability reports, coordinates remediation with developers, and publishes advisories to keep all Python users safe. Last year alone, the team published 16 vulnerability advisories for CPython and pip—the highest annual count to date.

Importantly, the PSRT rarely works in isolation. Coordinators are encouraged to involve project maintainers and subject-matter experts directly in the fix process. This ensures that patches adhere to existing API conventions, align with threat models, remain maintainable long-term, and minimize disruption to real-world use cases.

Sometimes the team goes even further, coordinating with other open source projects to avoid leaving the broader ecosystem off guard. A recent example is the mitigation for PyPI’s ZIP archive differential attack, which required alignment with multiple package registries.

Recognizing Security Contributions

Security work—often done in private—deserves as much recognition as code contributions. Seth and Jacob are now developing better workflows using GitHub Security Advisories to record the reporter, coordinator, and remediation developers and reviewers all the way through to CVE and OSV records. This means everyone involved in a fix will be properly thanked, even if the vulnerability details remain confidential for a period.

How to Join the Python Security Response Team

If you’re inspired to help keep Python secure, know that the process is similar to the Core Team nomination process. You need an existing PSRT member to nominate you, and your nomination must receive at least two-thirds positive votes from current members. You do not need to be a core developer, triager, or have any special title—the PSRT values diverse expertise, including infrastructure, cryptography, web security, and more.

The PSRT is supported by the Python Software Foundation and by organizations like Alpha-Omega, which sponsors Seth’s work as the Security Developer-in-Residence. Their backing ensures that Python’s security team has the resources needed to protect millions of users worldwide.

For more information, read the full PEP 811 governance document or explore the PSF website.

Related Articles

• A Step-by-Step Guide to Taming AI Governance in Enterprise Vibe Coding
• October 2025 Python VS Code Update: Key Features and FAQs
• Mastering the Brimble Challenge: A Junior Developer's Journey
• Conversational Ad Management Without Code: How to Use Claude Plugins with Spotify Ads API
• How to Modernize Your Go Code Using the Source-Level Inliner and //go:fix inline
• The Unchanging Core of Programming and the One Revolution That Changed Everything
• VS Code Python Extension Gets Turbo Boost: Rust-Powered Indexer and Smarter Package Navigation Land in March 2026 Update
• 10 Essential Steps to Build a Secure Note-Taking API with Django and JWT