The Python Security Response Team (PSRT) is the frontline defense for the Python ecosystem, handling vulnerability reports and coordinating fixes. Recent updates—including a formal governance document (PEP 811), a public membership list, and a new onboarding process—have made the team more transparent and sustainable. Below, we answer key questions about the PSRT’s role, recent changes, and how you can get involved.

What is the Python Security Response Team (PSRT)?

The Python Security Response Team is a dedicated group of volunteers and paid Python Software Foundation staff who triage, coordinate, and remediate security vulnerabilities affecting the Python ecosystem. Their work ensures that Python users worldwide stay safe from exploits. In the last year alone, the PSRT published 16 vulnerability advisories for CPython and pip—the most in a single year to date. The team doesn't operate in isolation; coordinators actively involve project maintainers and domain experts to craft fixes that align with existing API conventions, threat models, and long-term maintainability. This collaborative approach minimizes disruption to existing use cases while keeping the language secure. Learn more about how the team evolved in the next section.

What major changes have been made to the PSRT governance?

Thanks to the work of Security Developer-in-Residence Seth Larson, the PSRT now operates under a formal public governance document called PEP 811. This document outlines a clear structure: the team maintains a public list of members, defines explicit responsibilities for both members and admins, and establishes a documented process for onboarding and offboarding. These changes balance the often conflicting needs of security (which requires trust and discretion) and sustainability (which requires fresh perspectives and manageable workload). The new governance also clarifies the relationship between the Python Steering Council and the PSRT, ensuring alignment at the highest levels. This framework has already proven effective, as it enabled the smooth addition of a new member—the first in over a year.

Who recently joined the PSRT and why is that significant?

Jacob Coffee, the PSF Infrastructure Engineer, has just joined the Python Security Response Team as the first new non–“Release Manager” member since Seth Larson joined in 2023. This milestone demonstrates that the new onboarding process outlined in PEP 811 is working. Jacob’s addition brings fresh infrastructure expertise to the team, bolstering the sustainability of Python’s security efforts. The PSRT anticipates more new members in the coming months, further strengthening its capacity to handle vulnerabilities. This growth is supported by the Alpha-Omega project, which sponsors Seth Larson’s role as Security Developer-in-Residence at the Python Software Foundation. Without such support, the team would rely solely on volunteers—making Jacob’s arrival a welcome step toward a more resilient ecosystem.

How does the PSRT coordinate with other open source projects?

Security vulnerabilities rarely affect just one project. The PSRT actively collaborates with other open source maintainers to prevent cross-project surprises. For example, during the recent PyPI ZIP archive differential attack mitigation, the team coordinated with multiple projects to ensure a coordinated disclosure that wouldn’t catch the Python ecosystem off-guard. Coordinators involve subject-matter experts from affected projects early in the remediation process, ensuring that patches respect existing API contracts, threat models, and long-term stability. This cross-project communication is essential because a fix in one component might inadvertently break another. By working together, the PSRT helps maintain the integrity of the entire Python software supply chain—not just CPython itself.

How does the PSRT recognize contributors?

Contributing to security can be thankless work because much of it happens behind closed doors. To change that, Seth Larson and Jacob Coffee are developing improvements to the “GitHub Security Advisories” workflow. These improvements will record key roles—such as the reporter, coordinator, remediation developers, and reviewers—and embed that information into CVE and OSV records. The goal is to publicly thank everyone involved in a vulnerability fix, giving proper credit for contributions that otherwise remain invisible. This recognition applies to all participants, from the initial reporter to the final reviewer. By shining a light on security work, the PSRT hopes to celebrate these efforts just as the community celebrates code contributions and documentation improvements.

How can someone join the Python Security Response Team?

If you’re interested in directly helping secure the Python language, the process is now documented and transparent. A candidate must be nominated by an existing PSRT member; then the nominee must receive at least ⅔ positive votes from the current team. Notably, you do not need to be a core developer, team member, or triager—the PSRT values diverse backgrounds and expertise. The nomination process mirrors the Core Team nomination process, though tailored for security’s unique trust requirements. Once approved, members take on documented responsibilities, including triaging reports and coordinating fixes. If you have relevant skills and a passion for security, reach out to a current PSRT member to discuss a potential nomination. The team is actively looking for new members to ensure long-term sustainability.