7 Things You Need to Know About the Python Security Response Team (PSRT)

Security doesn't happen by accident. Behind every Python release, there's a dedicated team working tirelessly to identify, triage, and coordinate fixes for vulnerabilities. The Python Security Response Team (PSRT) has recently undergone major governance updates, made its membership public, and welcomed a new member. Here are seven crucial things you need to know about the PSRT and how you can get involved.

1. A Formal Governance Document Now Exists (PEP 811)

Thanks to the efforts of Security Developer-in-Residence Seth Larson, the PSRT now operates under an official governance document known as PEP 811. This document standardizes the team's structure, responsibilities, and decision-making processes. It marks a significant step toward transparency and long-term sustainability for Python security. Before this, the team operated more informally—now everything is clearly defined and publicly available.

2. The PSRT Now Publishes a Public Member List

For the first time, the PSRT has made its list of members publicly accessible. This transparency helps the community know who is handling vulnerability reports and allows for accountability. In addition, the team has documented the specific responsibilities for both regular members and administrators. Anyone interested can see exactly what roles exist and what is expected of each position.

3. A Clear Onboarding and Offboarding Process

The new governance defines a formal process for adding and removing team members. This balances the need for security (keeping sensitive vulnerability information restricted) with the need for sustainability (ensuring the team doesn't burn out and has fresh perspectives). New members are now onboarded through a structured procedure, and there's also a defined path for members who need to step down—ensuring continuity of operations.

4. The Relationship with the Python Steering Council Is Clarified

Another important aspect of PEP 811 is that it spells out how the PSRT interacts with the Python Steering Council, the top-level decision-making body for the Python language. The document clarifies who has authority over what—for example, critical security decisions that might affect the language's future must be escalated appropriately. This prevents confusion and ensures that security work aligns with the broader goals of the Python community.

5. A New Member Has Already Joined Through the New Process

The onboarding process is already working. Jacob Coffee, the PSF Infrastructure Engineer, has just become the first member added under the new governance who is not a Release Manager. The last time a non-Release Manager joined was when Seth Larson himself joined in 2023. This shows the new process is opening doors for a wider range of contributors, which is essential for the team's health and long-term sustainability.

6. The PSRT Published a Record Number of Advisories Last Year

In the last year alone, the team published 16 vulnerability advisories for CPython and pip—the highest ever in a single year. Each advisory represents a vulnerability that was responsibly disclosed, triaged, and fixed before it could be exploited at scale. The PSRT often works directly with project maintainers and experts to ensure that patches are both secure and maintainable, and they coordinate with other open source projects when a vulnerability spans multiple ecosystems.

7. How to Join the PSRT (and How Contributions Are Recognized)

Interested in contributing to Python security directly? The process mirrors the Core Team nomination: you need an existing PSRT member to nominate you, and the nomination must receive at least a two-thirds majority vote from existing members. You do not need to be a core developer or triager—anyone with relevant skills and trust can be considered. The team is also working on improving how contributors are credited. They are developing workflows to record the reporter, coordinator, and remediation developers in CVE and OSV records, giving public recognition for the vital but often invisible work of securing the Python ecosystem.

The PSRT is not just a guardian; it's a model for sustainable open-source security. With new governance, transparent membership, and a growing roster of contributors, the team is stronger than ever. Whether you report a vulnerability, develop a fix, or nominate a colleague, you are part of keeping Python secure for everyone.