Everything You Need to Know About the Python Security Response Team

The Python Security Response Team (PSRT) plays a crucial role in safeguarding the Python ecosystem by handling vulnerability reports and coordinating fixes. Thanks to the work of Security Developer-in-Residence Seth Larson, the team now operates under a formal governance document (PEP 811) that outlines membership, responsibilities, and onboarding processes. This new structure has already led to the addition of Jacob Coffee, the first non-Release Manager member since Seth joined in 2023. Below, we answer common questions about the PSRT, its recent changes, and how you can get involved.

What is the Python Security Response Team (PSRT) and what do they do?

The Python Security Response Team (PSRT) is a dedicated group of volunteers and paid Python Software Foundation (PSF) staff responsible for triaging and coordinating responses to security vulnerabilities in CPython and pip. Their work ensures that Python users remain protected from malicious exploits. In 2023 alone, the PSRT published 16 vulnerability advisories—the highest number in a single year to date. The team doesn't work in isolation; they frequently involve project maintainers, subject matter experts, and other open-source projects to craft fixes that are both effective and maintainable. The PSRT also coordinates with external projects to prevent ecosystem-wide disruptions, such as the recent PyPI ZIP archive differential attack mitigation. Ultimately, the team's efforts help keep the Python language and its infrastructure secure for millions of users worldwide.

What recent changes have been made to the PSRT's governance structure?

Effective governance is key to the PSRT's sustainability. With the adoption of PEP 811, the team now has a publicly approved governance document that formalizes its operations. Key changes include a publicly visible list of members, clearly defined responsibilities for both regular members and administrators, and a documented process for onboarding and offboarding members. This structure balances security needs with the long-term health of the team. Additionally, the document clarifies the relationship between the PSRT and the Python Steering Council, ensuring smooth collaboration on security matters. The new onboarding process is already bearing fruit—Jacob Coffee joined as the first new non-"Release Manager" member since 2023, demonstrating the team's commitment to bringing in fresh perspectives and expertise.

Who is the Security Developer-in-Residence and what is their role?

The Security Developer-in-Residence is a position sponsored by the Alpha-Omega project and held by Seth Larson. This role focuses exclusively on improving Python's security posture, including the creation of PEP 811 and the subsequent modernization of the PSRT. Seth works alongside other team members to streamline vulnerability handling, improve workflows—such as using GitHub Security Advisories for tracking contributions—and advocate for better recognition of security contributors. He also helps bridge the gap between the PSRT and the broader Python community. Without his dedicated efforts, the recent governance advancements and the successful onboarding of new members like Jacob Coffee would not have been possible. Seth's work exemplifies how funded security roles can catalyze positive change in open-source ecosystems.

How can someone become a member of the PSRT?

Joining the PSRT is an opportunity to directly contribute to Python's security. The process mirrors the Core Team nomination procedure: you must be nominated by an existing PSRT member, and the nomination must receive at least two-thirds positive votes from the current membership. Importantly, you do not need to be a core developer, team member, or triager to be considered. The team values diverse skills, including but not limited to security expertise, infrastructure knowledge, or experience with vulnerability coordination. Once nominated, the governance document ensures a transparent and fair evaluation. If you're passionate about Python security and think you can make a difference, reach out to a current PSRT member to discuss your interest.

How does the PSRT coordinate with other projects and maintainers?

Security vulnerabilities often affect multiple components or ecosystems. The PSRT actively involves project maintainers and domain experts in the remediation process to ensure fixes respect existing APIs, threat models, and maintainability. This collaborative approach minimizes disruptions for users while preserving code quality. Furthermore, the team coordinates with other open-source projects when a vulnerability crosses boundaries—for example, by synchronizing disclosure dates to avoid surprising dependent projects. A notable case is the PyPI ZIP archive differential attack, where early coordination helped prevent widespread exploitation. By fostering these partnerships, the PSRT ensures that Python's security response is holistic, efficient, and aligned with industry best practices.

What recognition is given to contributors involved in security work?

Security contributions often happen behind closed doors, making recognition difficult. To address this, Seth Larson and Jacob Coffee are developing improved workflows using GitHub Security Advisories that automatically attribute contributions to reporters, coordinators, and remediation developers. These attributions are then recorded in CVE and OSV records, ensuring proper credit is given. The goal is to celebrate security work as visibly as code commits or documentation updates. By making these contributions publicly acknowledged, the PSRT hopes to attract more volunteers and foster a culture of appreciation. This change underscores the team's commitment to sustainability—both in terms of processes and people—and serves as a model for other open-source security teams.