Python Security Response Team Overhauls Governance, Welcomes First New Member in Over a Year
In a move to strengthen transparency and sustainability, the Python Security Response Team (PSRT) has adopted a new public governance framework under PEP 811. The team also announced the addition of Jacob Coffee, the Python Software Foundation's Infrastructure Engineer, as its first non-Release Manager member since 2023.
"This governance document is the result of months of work to ensure the PSRT can operate effectively while balancing security needs with long-term viability," said Seth Larson, Security Developer-in-Residence at the Python Software Foundation. "Having a clear process for onboarding and offboarding members strengthens the team's ability to respond to vulnerabilities."
Background
The PSRT, composed of volunteers and paid PSF staff, is responsible for triaging and coordinating vulnerability reports for CPython and pip. In 2023 alone, the team published 16 advisories—the highest number in a single year to date. The new governance document provides a public list of members, outlines responsibilities for members and administrators, and clarifies the relationship between the PSRT and the Python Steering Council.
"Security doesn't happen by accident," Larson emphasized. "It requires dedicated effort and clear procedures. PEP 811 ensures everyone knows who is accountable and how decisions are made."
New Member Brings Infrastructure Expertise
Jacob Coffee, who joined the PSF as Infrastructure Engineer earlier this year, is the first new PSRT member outside the release manager category since Larson himself joined in 2023. Coffee's expertise in infrastructure will help the team address security issues related to packaging and deployment.
"I'm excited to contribute to such a critical aspect of Python's ecosystem," Coffee said. "The new governance structure makes it easier for non-core developers like me to get involved and make a difference."
What This Means
The governance overhaul signals a commitment to sustainability and community involvement in security. By providing clear paths for onboarding, the PSRT can weather turnover and maintain institutional knowledge. The addition of members from diverse backgrounds—not just release managers—broadens the team's capabilities.
"This is a model for how open source projects can professionalize security response without losing their volunteer spirit," noted a spokesperson for Alpha-Omega, which funds Larson's position. "The Python ecosystem is safer because of these changes."
Coordination with Broader Ecosystem
The PSRT frequently collaborates with other open source projects to prevent cross-project vulnerabilities. A notable recent example is the coordination with PyPI on the ZIP archive differential attack mitigation, which protected multiple projects from being caught off guard.
"We can't work in isolation," Larson explained. "By involving project maintainers and experts directly in the remediation process, we ensure fixes adhere to existing API conventions and minimal impact on users."
How to Join
Interested individuals can be nominated by an existing PSRT member. The nomination must receive at least two-thirds positive votes from current members. No core developer status is required; any community member with relevant security expertise may apply.
"We need more eyes on security," Larson said. "If you have experience with vulnerability coordination or secure coding, consider seeking a nomination."
Looking Ahead
Larson and Coffee are also developing improvements to the way GitHub Security Advisories record contributors. Their goal is to properly attribute work done by reporters, coordinators, and remediation developers in both CVE and OSV records, ensuring that private contributions to security fixes are recognized alongside public code.
"This work deserves celebration just like contributions to source code and documentation," said Larson. "We want everyone involved to get proper credit."
— Reporting for the Python Software Foundation