Introduction
Security doesn't happen by accident. The Python Security Response Team (PSRT) is the volunteer and staff group that triages vulnerability reports, coordinates fixes, and keeps the Python ecosystem safe. Recently, thanks to the work of Security Developer-in-Residence Seth Larson, the PSRT has adopted PEP 811—a public governance document that brings transparency to team membership, responsibilities, and onboarding. This guide walks you through becoming a member of the PSRT, using the new, approved process that balances security needs with sustainability.
What You Need
- Existing involvement in Python security or related open-source projects (e.g., CPython, pip, PyPI).
- Nomination by a current PSRT member.
- At least ⅔ (two‑thirds) of positive votes from existing PSRT members.
- No requirement to be a core developer, team member, or triager—anyone with relevant expertise can be considered.
- Understanding of PSRT responsibilities: triaging reports, coordinating with project maintainers, and handling embargoed disclosures.
Step-by-Step Guide
Step 1: Learn About the PSRT and Its Role
Before pursuing membership, familiarize yourself with the team’s mission. The PSRT handles all security vulnerability reports for CPython, pip, and other core Python projects. They coordinate with maintainers, ensure fixes adhere to API conventions and threat models, and sometimes work with other open-source projects (e.g., the recent ZIP archive differential attack mitigation on PyPI). Read the PEP 811 governance document to understand the structure and expectations.
Step 2: Gain Relevant Experience
While you don’t need to be a core developer, you should have a track record in security work. This could include:
- Reporting vulnerabilities to the PSRT or other projects.
- Contributing to security fixes or audits.
- Participating in security discussions on Python issue trackers or security mailing lists.
- Collaborating with maintainers on security-related improvements.
The PSRT encourages involvement from non‑core contributors; expertise matters more than formal titles.
Step 3: Find a Nominator
You need a current PSRT member to nominate you. The public list of members is now available. Reach out to a member you know, demonstrate your interest and experience, and request their support. The nominator will initiate the onboarding process defined in PEP 811.
Step 4: Go Through the Voting Process
After nomination, the existing PSRT members vote. You must receive at least two‑thirds positive votes to be accepted. The vote is confidential to protect security considerations. If approved, you will be added to the team roster and receive access to private communication channels and vulnerability tracking tools.
Step 5: Complete Onboarding and Start Contributing
New members go through a documented onboarding process that covers:
- PSRT procedures for triaging and disclosing vulnerabilities.
- Use of GitHub Security Advisories and other coordination tools.
- Ethics, confidentiality, and sustainability practices.
After onboarding, you can begin triaging reports, coordinating with experts, and helping to publish advisories. The PSRT also records contributors in CVEs and OSV records to give proper recognition—something Seth Larson and Jacob Coffee (the first non‑Release Manager member since 2023) are actively improving.
Tips for Success
- Start small – Engage with the Python security community by attending open meetings, subscribing to the security‑announce list, or helping with documented vulnerability reviews.
- Build relationships – Many nominations come from existing team members who know your work. Contribute to security fixes or participate in discussions to become visible.
- Emphasize sustainability – The PSRT values long‑term maintainability of fixes and minimal disruption to users. Highlight your ability to consider those aspects.
- Be patient – The voting process may take time. The team balances security with transparency; trust the process.
- Celebrate contributions – Security work often goes unrecognized. The PSRT now explicitly credits reporters, coordinators, and reviewers. Make sure you’re prepared to give that same recognition to others.
With the new governance in place, joining the PSRT is more transparent and accessible. The first new member (Jacob Coffee) has already on‑boarded, proving the process works. If you have the skills and dedication, you can help keep the Python ecosystem secure.