Overview
The Python Security Response Team (PSRT) is the backbone of vulnerability management for the Python ecosystem. Composed of dedicated volunteers and paid Python Software Foundation (PSF) staff, the PSRT triages, coordinates, and publishes advisories for security issues in CPython, pip, and other core projects. In 2023 alone, the team published a record 16 advisories. This critical work often involves collaborating with upstream maintainers and other open-source projects to ensure fixes are both effective and minimally disruptive.
Following the recent approval of PEP 811, the PSRT now operates under a formal public governance document. This framework brings transparency through a published member list, clear responsibilities for members and administrators, and a defined onboarding-offboarding process. The new structure also clarifies the relationship between the PSRT and the Python Steering Council. As a result, the team is now actively recruiting new members—Jacob Coffee, the PSF Infrastructure Engineer, recently became the first non–release manager member to join since Seth Larson’s appointment as Security Developer-in-Residence in 2023.
If you have a passion for Python security and are ready to contribute behind the scenes, this guide will walk you through everything you need to know to become a PSRT member. From understanding prerequisites to navigating the nomination process, you’ll find clear, actionable steps.
Prerequisites
Before you set your sights on joining the PSRT, it’s important to understand what the team looks for. You do not need to be a CPython core developer, a triager, or a release manager. However, you should have:
- Security expertise or strong interest – Familiarity with common vulnerability classes, CVEs, and responsible disclosure practices is beneficial.
- Python ecosystem knowledge – Understanding how CPython, pip, PyPI, and related tools work is essential.
- Community involvement – Active participation in Python open-source projects, whether through code, documentation, or triage, demonstrates your commitment.
- Existing connection to a current member – A nomination from an existing PSRT member is required; building relationships within the Python security community is key.
If you meet these prerequisites, you’re ready to move forward.
Step-by-Step Guide to Joining the PSRT
1. Understand the PSRT's Role and Governance
Start by reading PEP 811 and the current PSRT governance document. This will give you a clear picture of team responsibilities, decision-making processes, and the relationship with the Steering Council. Also review the public member list to see who’s currently on the team. Familiarize yourself with recent vulnerabilities published by the PSRT (e.g., CPython security advisories) to understand the scope of work.
2. Build Your Security Expertise in the Python Ecosystem
Dive into the security aspects of Python. Contribute to security-related issues, reports, or tooling. For example:
- Participate in the Python Security Model discussions on the Python Security Discourse.
- Review and test patches for vulnerability fixes in
cpythonorpiprepositories. - Familiarize yourself with tools like
bandit,safety, or GitHub Security Advisories.
Seth Larson and Jacob Coffee have been improving workflows to properly credit reporters, coordinators, and remediation developers in CVE and OSV records. Understanding these processes will make you a more effective candidate.
3. Get Involved with the Community and Contribute
Visibility matters. Attend Python security meetings, join the #python-security channel on Python Dev Slack, and contribute to security-related discussions. Offer to help with triaging reported issues or drafting advisory language. Even minor contributions—like verifying reproduction steps or suggesting mitigation strategies—demonstrate your initiative and reliability.
4. Find a Current PSRT Member to Nominate You
Membership requires a nomination from an existing PSRT member. Use your community connections to identify a potential sponsor. Explain your interest, share your relevant experience, and ask for guidance. If you’ve been actively contributing, members may already be aware of your work. The nomination process mirrors the Core Team nomination process: a member submits your name, and a vote is held.
5. The Nomination and Voting Process
Once nominated, the existing PSRT members will vote. Per the new governance (PEP 811), your nomination must receive at least two-thirds (⅔) positive votes to be accepted. The vote is conducted privately to maintain security and avoid external pressure. If approved, you’ll be formally welcomed as a new member.
6. Onboarding as a New Member
After acceptance, you’ll go through an onboarding process that includes reviewing internal guidelines, gaining access to security-only communication channels, and understanding your member responsibilities. You’ll be expected to:
- Triage and coordinate vulnerability reports.
- Involve relevant maintainers and experts when needed.
- Help publish advisories and coordinate with external projects (like PyPI’s ZIP archive differential attack mitigation).
- Participate in periodic offboarding reviews to maintain team balancing.
Be prepared to commit time and uphold confidentiality.
Common Mistakes to Avoid
- Assuming you must be a core developer – The PSRT values security experience over commit access. Many contributors are not core developers.
- Neglecting community involvement – Joining without prior engagement is nearly impossible; start contributing early.
- Ignoring the governance document – Not understanding PEP 811 can lead to misunderstandings about roles and voting.
- Overlooking the time commitment – PSRT work involves rapid response and coordination; ensure you can balance it with other responsibilities.
- Waiting for an invitation – Proactively express your interest to current members rather than hoping to be noticed.
Summary
Joining the Python Security Response Team is a rewarding way to directly contribute to the security of the entire Python ecosystem. Thanks to the new governance structure (PEP 811) and ongoing support from organizations like Alpha-Omega, the team is growing and seeking new members. By understanding the prerequisites, building expertise, engaging with the community, and securing a nomination, you can become part of this vital group. Start your journey today by exploring the PSRT’s public resources and reaching out to current members.