Welcome to a new chapter in Python security! The Python Security Response Team (PSRT) just rolled out a formal governance document (PEP 811), public membership lists, and a transparent onboarding process. Thanks to Seth Larson's Security Developer-in-Residence role, sponsored by Alpha-Omega, and the recent addition of Jacob Coffee, the PSRT is stronger than ever. Here are 10 things you need to know about these changes and how they safeguard the Python ecosystem.
1. PEP 811: The First Formal Governance Blueprint
The PSRT now has an approved public governance document, PEP 811. This milestone establishes a clear framework for how the team operates, including member responsibilities, decision-making processes, and accountability measures. Previously, the team operated informally, but PEP 811 brings structure—balancing security needs with long-term sustainability. The document also clarifies how the PSRT interacts with the Python Steering Council, ensuring that security decisions are aligned with the broader project goals.
2. Public Member List: Transparency in Action
For the first time, the PSRT publishes a complete list of its members. This transparency helps the community know who is handling vulnerability reports and fosters trust. The list is kept up-to-date, reflecting new additions and departures. Each member's role (coordinator, reviewer, etc.) is documented, so contributors know exactly who to contact for specific security concerns. It’s a simple change that builds confidence in the team’s integrity.
3. Clear Onboarding and Offboarding Procedures
Becoming or leaving the PSRT is no longer a murky process. PEP 811 defines a step-by-step route for new members: nomination by an existing member, a ⅔ majority vote, and completion of a security orientation. Offboarding is equally structured, covering voluntary resignation or removal for inactivity. This sustainability-focused process ensures the team stays agile while maintaining institutional knowledge.
4. Defined Roles: Members vs. Admins
The governance document splits responsibilities between members (who handle vulnerability triage and coordination) and administrators (who manage team logistics, voting, and records). This separation prevents conflicts of interest and clarifies accountability. Admins, for instance, oversee the onboarding of new members while members focus on technical work. The distinction also makes it easier to distribute workload and avoid burnout.
5. Jacob Coffee: First New Non-Release Manager Member Since 2023
In a promising sign of growth, Jacob Coffee—the PSF Infrastructure Engineer—joined the PSRT as its first member outside the “Release Manager” group since Seth Larson came on board in 2023. Jacob’s infrastructure expertise strengthens the team’s ability to manage security advisories, especially those involving PyPI and other core services. His addition proves the new onboarding process works and signals that the PSRT is opening its doors to diverse skill sets.
6. Seth Larson: Security Developer-in-Residence Funded by Alpha-Omega
Seth Larson’s role as Security Developer-in-Residence is supported by Alpha-Omega, a project focused on improving open source security. In this capacity, Seth has spearheaded the governance overhaul and day-to-day coordination of the PSRT. His work includes developing automated workflows for vulnerability tracking and ensuring that every advisory credits all contributors—from reporters to fix authors. This sponsorship underscores the value of dedicated security roles in open source.
7. Record-Breaking 16 Advisories in 2023
The PSRT published 16 vulnerability advisories for CPython and pip in 2023—the highest number ever recorded in a single year. This surge isn’t a sign of declining security; rather, it highlights improved detection and proactive disclosure. Each advisory comes with a coordinated fix and mitigation advice, helping millions of Python users stay safe. The jump in numbers also reflects the team’s expanded capacity thanks to new members like Jacob.
8. Involving Project Experts in Every Fix
The PSRT rarely works in isolation. When a vulnerability is reported, coordinators bring in the maintainers and subject-matter experts of the affected project or submodule (e.g., `tarfile`, `ssl`). This collaborative approach ensures that patches respect existing API conventions, threat models, and maintainability. It also minimizes disruption to users by considering edge cases. The result: fixes that are both secure and practical.
9. Cross-Ecosystem Coordination (PyPI Attack Case)
Sometimes vulnerabilities affect multiple projects. The PSRT proactively coordinates with other open source communities to avoid surprising downstream users. A recent example is the PyPI ZIP archive differential attack mitigation, where the team worked directly with PyPI maintainers to roll out protections. This cross-ecosight prevents one project’s fix from inadvertently breaking another, and it builds trust across the entire Python supply chain.
10. How You Can Join the PSRT
Think you have what it takes? You don’t need to be a core developer or even a longtime Python contributor. The nomination process is similar to the Core Team nomination model: a current PSRT member must nominate you, and you need a ⅔ positive vote from the existing team. Skills in code review, vulnerability analysis, or even project management are welcome. If you’re passionate about keeping Python secure, reach out to a member—your future team is waiting.
The Python Security Response Team is more equipped than ever to handle vulnerabilities, thanks to these new structures and dedicated individuals. Whether you’re a security researcher or a curious developer, stay involved by following their advisories and consider joining the team. Together, we make Python safer for everyone.