How to Join the Python Security Response Team: A Step-by-Step Guide

Overview

Security in open source doesn't materialize out of thin air. The Python Security Response Team (PSRT) is the dedicated group of volunteers and paid staff who triage, coordinate, and resolve vulnerability reports affecting the entire Python ecosystem. Recent milestones, such as the formal approval of PEP 811 governance and the onboarding of Jacob Coffee (the first non-Release Manager member since Seth Larson joined in 2023), have made the PSRT more transparent and approachable than ever. This guide walks you through everything you need to know to become a member of this critical team.

In 2023 alone, the PSRT published 16 vulnerability advisories for CPython and pip — the highest annual count to date. The team also collaborates with external projects, as seen with PyPI's ZIP archive differential attack mitigation, ensuring the entire Python ecosystem remains secure. Now, thanks to a documented onboarding process and clear responsibilities, the path to joining is well defined.

Prerequisites

Before you start the nomination process, ensure you meet the following criteria:

• Existing PSRT member sponsorship — You need a current PSRT member to nominate you. This is the only direct requirement; you do not need to be a core developer, triager, or maintainer of any particular project.
• Familiarity with Python security — While not a formal prerequisite, having experience with vulnerability handling, CVE processes, or Python internals will make you a stronger candidate.
• Commitment to the team's mission — The PSRT values sustainability and long-term engagement. Be prepared to actively participate in triage and coordination.

If you lack a sponsor, start by engaging with the community and contributing to security discussions on Python's issue trackers or mailing lists.

Step-by-Step Instructions

The nomination process mirrors the Python Core Team nomination, but with a security focus. Follow these steps carefully.

1. Find a Sponsor

Locate an existing PSRT member who can vouch for your contributions. The current member list is publicly available on the PSRT governance page (PEP 811). Reach out via the security@python.org mailing list or directly through Python community channels. Explain your interest in security work and provide examples of relevant experience, such as:

• Contributions to CPython or pip vulnerability patches
• Coordination of past security advisories
• Active participation in security discussions on discuss.python.org

2. Prepare Your Nomination

Your sponsor will submit a formal nomination to the PSRT mailing list or internal tracker. The nomination should include:

• A brief statement of your background and motivation
• A summary of your security-related contributions
• Any supporting endorsements from other community members

Example nomination template (write in your own words):

I nominate Jane Doe for membership in the Python Security Response Team. 
Jane has been instrumental in triaging multiple PyPI dependency vulnerabilities 
and helped coordinate the fix for CVE-2023-XXXX. Her deep understanding of 
Python's import system and threat models makes her an ideal addition.

3. The Voting Process

Once the nomination is received, the PSRT conducts a vote among all current members. The rule is clear: at least ⅔ positive votes are required for acceptance. Voting typically occurs over a period of 1-2 weeks via a private mailing list or secure poll. The result is communicated to the nominee and the Steering Council.

4. Onboarding

After a successful vote, the new member undergoes an onboarding process defined by PEP 811. This includes:

• Access to private security infrastructure (GitHub Security Advisories, private trackers)
• Briefing on current vulnerabilities and workflows
• Assignment of an existing member as a mentor for the first few months

The PSRT also ensures that roles are sustainable — each member has documented responsibilities, and admins manage the operational side to prevent burnout.

Common Mistakes

Avoid these pitfalls that can delay or derail your nomination:

• Underestimating the time commitment — Security triage is unpredictable. Be ready to respond quickly when a critical vulnerability surfaces.
• Assuming you need to be a core developer — The PSRT welcomes experts from all backgrounds: security researchers, package maintainers, and infrastructure engineers are all valuable.
• Neglecting communication — Poor written communication can hinder coordination. Practice clear, concise reporting of vulnerabilities and fixes.
• Ignoring the governance document — PEP 811 outlines roles, offboarding procedures, and the relationship with the Steering Council. Read it carefully before applying.
• Rushing the sponsorship step — Don't ask for a nomination without first building a relationship with existing members. Contribute to security-related issues first to demonstrate your commitment.

Summary

The Python Security Response Team is more open and accessible than ever. With a clear governance document, public membership list, and a standardized onboarding process, contributing to Python's security is no longer an opaque process. By finding a sponsor, preparing a strong nomination, and understanding the voting requirements (⅔ majority), you can join a team that directly protects every Python user. The recent addition of Jacob Coffee shows the process works — now it's your turn to bolster the sustainability of Python security.

Remember, security work deserves recognition. The PSRT is actively improving how contributors are credited in CVEs and OSV records. Join the team and make Python safer for everyone.