10 Key Updates About the Python Security Response Team You Should Know

The Python Security Response Team (PSRT) has been quietly working behind the scenes to keep the Python ecosystem secure. Recent governance changes, new members, and improved processes are making the team more transparent and sustainable. Here are ten essential things you need to know about the PSRT right now.

1. A Formal Governance Document Is Now Approved

Thanks to the efforts of Security Developer-in-Residence Seth Larson, the PSRT now operates under an official public governance document, PEP 811. This document codifies the team’s structure and decision-making processes, ensuring that security operations are transparent and accountable. It replaces informal practices with a clear framework, making it easier for new members to understand their roles and for the broader community to trust the team’s work. The approval marks a major milestone in professionalizing Python’s security response.

2. Public List of Team Members Is Now Available

For the first time, the PSRT publishes a public list of its members. This transparency helps the community know who is handling vulnerability reports and who to contact. It also builds trust by showing the expertise and diversity of the team. The list is maintained on the Python Security Response Team page, and it is updated as members join or leave. This open approach aligns with Python’s community values while still respecting the sensitive nature of security work.

3. Clear Responsibilities Are Defined for Members and Admins

The new governance document spells out exactly what each role entails. Members are responsible for triaging and coordinating vulnerability responses, while admins handle administrative tasks like managing repositories and onboarding. This clarity prevents role confusion and ensures that every task—from initial report to public advisory—has an owner. It also helps new members quickly understand what is expected of them, reducing the learning curve and improving response times.

4. A Structured Process for Onboarding and Offboarding

Security teams often struggle with membership turnover, but the PSRT now has a defined process. Onboarding includes training on vulnerability handling practices and tools, while offboarding ensures that departing members securely transfer their responsibilities. This structured approach balances the need for security (e.g., credential revocation) with sustainability (e.g., preserving institutional knowledge). It also makes the team more resilient when members step down, as the process is documented and repeatable.

5. Relationship With the Python Steering Council Is Clarified

The document defines the relationship between the PSRT and the Python Steering Council. The Steering Council provides strategic oversight and approves major decisions, but day-to-day security operations remain with the PSRT. This separation of powers ensures that security responses are swift and expert-led, while the Council ensures alignment with the broader Python project goals. It is a model of governance that other open-source projects may want to emulate.

6. First Non-Release Manager Member Since 2023 Joins

Jacob Coffee, the PSF Infrastructure Engineer, has recently joined the PSRT as the first new member who is not a Release Manager since Seth Larson joined in 2023. This signals a broader effort to bring in diverse expertise beyond core release management. Jacob’s infrastructure background will strengthen the team’s ability to handle security issues related to build systems, package distribution, and deployment tools. His onboarding followed the new structured process, proving it works in practice.

7. Seth Larson Continues as Security Developer-in-Residence

Seth Larson’s role as Security Developer-in-Residence at the Python Software Foundation is central to these improvements. Sponsored by Alpha-Omega, Seth has driven the governance overhaul and is working on streamlining workflows. He also focuses on sustainability—ensuring that the PSRT can handle an increasing number of vulnerability reports without burning out volunteers. His position is a key part of Python’s investment in security infrastructure.

8. Record Number of Vulnerability Advisories in 2023

Last year, the PSRT published 16 vulnerability advisories for CPython and pip—the most in a single year to date. This increase reflects both the growing attention to security in the Python ecosystem and the team’s improved capacity to handle reports. Each advisory helps users protect their applications by providing timely patches and workarounds. The team also coordinates with maintainers of affected libraries to ensure comprehensive fixes.

9. Collaboration With Other Open Source Projects

The PSRT doesn’t work in isolation. It often coordinates with other open source projects to prevent cross-project vulnerabilities from catching the community off guard. A recent example is the ZIP archive differential attack mitigation for PyPI, where the PSRT worked with PyPI maintainers to address a security issue that could have affected multiple projects. This kind of collaboration reduces risk and strengthens the entire Python ecosystem.

10. How You Can Join the PSRT

If you are interested in helping secure Python, you can become a member. The process is similar to the Core Team nomination: you need an existing PSRT member to nominate you, and your nomination must receive at least two-thirds positive votes from current members. You do not need to be a core developer; the team values diverse skills. If you have experience with vulnerability analysis, patching, or even security documentation, consider reaching out to a current member. Every contribution helps keep Python safe.

Conclusion

The Python Security Response Team is evolving to meet the challenges of a growing ecosystem. From a formal governance document to a record number of advisories, these updates show a commitment to transparency and sustainability. Whether you are a user who wants to understand how vulnerabilities are handled or a potential volunteer looking to join, there has never been a better time to get involved. Stay vigilant, and consider supporting the PSF’s security initiatives.