Your Path to Joining the Python Security Response Team: A Practical How-To Guide

Introduction

The Python Security Response Team (PSRT) is the frontline defense for the Python ecosystem, handling vulnerability reports and coordinating fixes to keep millions of users safe. Thanks to the work of the Security Developer-in-Residence, Seth Larson, the team now operates under a formal governance structure defined in PEP 811. This new framework brings transparency, including a public member list, clear member and admin responsibilities, and a standardized process for onboarding and offboarding. The first new member to join under this process—Jacob Coffee, the PSF Infrastructure Engineer—shows it’s working, and more additions are expected. If you’ve ever wanted to contribute directly to Python security, this guide walks you through exactly how to become a PSRT member.

What You Need

Before you begin the process, ensure you meet the following prerequisites. No prior membership in the core development team or any other Python project is required—the PSRT values diverse expertise.

• A nominator from the existing PSRT – You must be nominated by a current PSRT member who can vouch for your skills and commitment.
• Support from at least two-thirds of the PSRT – Your nomination will be put to a vote, and you need a supermajority of positive votes to be accepted.
• Active presence in the Python security community – While not formally required, familiarity with vulnerability triage, security advisories, and the Python ecosystem greatly improves your chances of being nominated.
• Time and dedication – PSRT work is voluntary (with some paid staff), so be ready to invest time in triaging reports and coordinating fixes.

Step-by-Step Guide

Step 1: Understand the PSRT’s Role and Governance

Start by reading PEP 811—the official governance document. This explains the team’s mission: triage and coordinate vulnerability reports for CPython, pip, and other core Python projects. The PSRT publishes advisories (16 in 2023 alone) and works closely with maintainers and external projects. Knowing the structure helps you see where you might fit.

Step 2: Build Your Security and Python Expertise

The PSRT values hands-on experience. Contribute to Python security by reporting bugs, reviewing security patches, or helping with vulnerability research. Engage with the community on the python-security mailing list or GitHub discussions. Jacob Coffee, the most recent member, brought his background as PSF Infrastructure Engineer—so any technical skill that strengthens ecosystem security is valuable.

Step 3: Connect with Current PSRT Members

Networking is key. Attend Python security talks at conferences (e.g., PyCon US), join the Python Security Forum, or reach out to known members via the python-committers list. Introduce yourself and express your interest in joining. Building these relationships increases your chances of finding someone to nominate you.

Step 4: Secure a Nomination

Once you have a relationship with a current PSRT member, ask them to nominate you. The process is similar to the Core Team nomination: the nominator will formally propose you to the rest of the team. There’s no application form—everything happens through internal team communication.

Step 5: Participate in the Voting Process

After your nomination, the PSRT holds a vote. You need at least two-thirds of existing members to vote in favor. The voting period and method are defined in PEP 811. While you won’t be directly involved in the vote, be prepared to answer questions about your background and motivations. The team values integrity, technical skill, and collaborative attitude.

Step 6: Complete Onboarding and Start Contributing

If the vote passes, you’ll be officially welcomed and onboarded. As outlined in the new governance, onboarding includes familiarizing yourself with current workflows, tools (like GitHub Security Advisories), and reporting procedures. Expect to shadow existing members initially, then take on coordinating roles. Your first contribution might be triaging a low-severity report or helping with advisory drafting.

Step 7: Help Strengthen the Team’s Sustainability

The PSRT is always improving. As a member, you can contribute to process improvements—like those Seth and Jacob are developing to credit reporters and coordinators in CVE and OSV records. Your involvement ensures the team remains sustainable and effective for the entire Python ecosystem.

Tips for Success

• Stay persistent but patient. The nomination and voting process can take weeks. Keep contributing actively in the meantime.
• Document your contributions. Having a track record of security work (e.g., CVEs you’ve helped mitigate, bug bounties, or open-source patches) makes it easier for a PSRT member to confidently nominate you.
• Learn from the team’s history. Review past advisories on the CPython Security Advisories page to understand typical vulnerabilities and how they are handled.
• Don’t limit yourself to core development. The PSRT welcomes non-core developers, as expertise in submodules like pip or packaging is equally valuable.
• Volunteer for related projects. Helping with PyPI security or participating in the Alpha-Omega initiative (which funds Seth’s role) can raise your profile.
• Celebrate the work. Security contributions often go unseen. Acknowledge others and encourage a culture of recognition—just as Seth and Jacob are doing with GitHub Security Advisories.

Joining the Python Security Response Team is a rewarding way to directly impact the safety of millions of Python users. By following these steps and building genuine connections within the security community, you can become part of a dedicated group that makes Python safer every day.