Strengthening Python's Security: The PSRT's New Governance and Membership
The Python Security Response Team adopts new governance (PEP 811), adds first non-Release Manager member Jacob Coffee, and opens pathways for community involvement in security coordination.
Introduction
Python's security posture is evolving thanks to renewed governance and an expanding team. The Python Security Response Team (PSRT) has recently adopted a formal public governance document (PEP 811), marking a significant step toward transparency and sustainability in handling vulnerabilities. This article explores the changes, the team's role, and how you can contribute to keeping Python safe.
New Governance for the PSRT
The adoption of PEP 811 establishes a clear framework for the PSRT. Key changes include a public list of members, documented responsibilities for both members and administrators, and a structured onboarding and offboarding process. This balance ensures both security and long-term sustainability. The document also clarifies the relationship between the Python Steering Council and the PSRT, defining boundaries and collaboration points.
Security work requires dedicated resources. The Alpha-Omega project continues to support this effort by sponsoring Seth Larson's role as Security Developer-in-Residence at the Python Software Foundation. Seth's work has been instrumental in drafting PEP 811 and driving the governance reform.
First New Member Under the New Process
The reformed onboarding process is already bearing fruit. Jacob Coffee, the PSF Infrastructure Engineer, has become the first non-Release Manager to join the PSRT since Seth Larson himself joined in 2023. This expansion strengthens the team's capacity to triage and remediate vulnerabilities, with more members expected to follow.
What Does the PSRT Do?
Security doesn't happen by accident. The PSRT—comprising both volunteers and paid PSF staff—coordinates vulnerability reports and fixes for CPython and related projects. In 2023 alone, the team published 16 vulnerability advisories, a record high. Coordinators often bring in subject-matter experts to ensure fixes respect existing APIs, threat models, and minimize operational impact.
Collaboration extends beyond Python. The PSRT sometimes coordinates with other open-source projects to prevent ecosystem-wide surprises, as seen with the PyPI ZIP archive differential attack mitigation.
Recognition for Behind-the-Scenes Work
Contributions to security deserve celebration. Seth and Jacob are improving workflows that use GitHub Security Advisories to record reporters, coordinators, and remediation developers, ensuring that credits are linked to CVE and OSV records.
How to Join the PSRT
If you're interested in directly bolstering Python's security, your path is clear. The nomination process mirrors the Core Team nomination process: an existing PSRT member nominates you, and the nomination receives at least two-thirds positive votes from current PSRT members.
You don't need to be a core developer, triager, or team member. The PSRT values diverse backgrounds and skills. Read more about the requirements in PEP 811.
Conclusion
The PSRT's new governance and growing membership are vital for Python's security future. With continued community support, the team can sustain its critical work. Whether by joining or simply spreading awareness, you can help make Python more secure for everyone.