Python Security Response Team Expands with New Governance and Members
The Python Security Response Team (PSRT) has long been the backbone of security for the Python ecosystem, handling vulnerability reports and coordinating fixes. Recent developments, fueled by the work of Security Developer-in-Residence Seth Larson, have brought a new level of transparency and sustainability to the team. A formal governance document, PEP 811, now defines the team’s structure, while a streamlined onboarding process has already welcomed its first new member in over two years. These changes ensure that Python’s security efforts remain robust, collaborative, and ready for the challenges ahead.
New Governance Structure for PSRT
Thanks to Seth Larson’s dedicated work, the PSRT now operates under an approved public governance document: PEP 811. This document marks a significant step forward in transparency and accountability. For the first time, the PSRT publishes a public list of its members, detailing their roles and responsibilities. The governance charter clearly outlines duties for both members and administrators, and it establishes a defined process for onboarding and offboarding team members—a crucial balance between security needs and long-term sustainability.
The document also clarifies the relationship between the PSRT and the Python Steering Council, ensuring that security decisions align with the broader governance of the Python language. This structured approach reduces bottlenecks, improves response times, and makes it easier to scale the team as the ecosystem grows.
First New Member Under Updated Process
The new onboarding process is already bearing fruit. Jacob Coffee, the PSF Infrastructure Engineer, has joined the PSRT as the first non-Release Manager member since Seth Larson himself joined in 2023. Jacob’s inclusion demonstrates the effectiveness of the updated governance—welcoming skilled contributors who are not traditional release managers but have critical expertise. The PSRT expects additional members to follow, further strengthening the sustainability of Python’s security work.
This expansion is supported by Alpha-Omega, a project that funds Seth Larson’s role as Security Developer-in-Residence at the Python Software Foundation. Their sponsorship is vital to maintaining dedicated security capacity for the Python ecosystem.
Understanding the Python Security Response Team
Security doesn’t happen by accident. The PSRT—composed of volunteers and paid PSF staff—triage and coordinate vulnerability reports and remediations, keeping all Python users safe. Their efforts are often invisible but essential: in the last year alone, the team published 16 vulnerability advisories for CPython and pip, the highest number in any single year to date.
Role and Responsibilities
PSRT coordinators don’t work in isolation. They actively involve project maintainers and subject-matter experts in the remediation process. By engaging experts directly, the team ensures that fixes adhere to existing API conventions, respect threat models, remain maintainable long-term, and minimize disruption to existing use cases. This collaborative approach prevents rushed patches that could introduce new issues.
The team also coordinates with other open-source projects when a vulnerability affects multiple ecosystems. A recent example is the PyPI ZIP archive differential attack mitigation, where the PSRT worked alongside other projects to avoid catching the Python community off-guard. Such cross-project coordination is a hallmark of responsible security management.
Recognition and Future Improvements
Security work often goes unrecognized compared to code or documentation contributions. Seth Larson and Jacob Coffee are developing new workflows using GitHub Security Advisories to properly credit everyone involved—reporters, coordinators, remediation developers, and reviewers. These credits will flow into CVE and OSV records, ensuring that the community celebrates these private contributions to open-source security. This initiative acknowledges that security is a team effort and that all participants deserve recognition.
How to Join the Python Security Response Team
If you’re inspired to help secure the Python language, joining the PSRT is a straightforward process—similar to the Core Team nomination process. You need an existing PSRT member to nominate you, and your nomination must receive at least two-thirds positive votes from current members.
You do not need to be a core developer, a team member, or even a triager to be considered. The PSRT values diverse expertise—whether you’re a security researcher, infrastructure engineer, or long-time contributor with a passion for security. If you have the skills and dedication, the team wants to hear from you. Interested? Reach out to a current PSRT member to start the conversation.
With its new governance, expanded team, and commitment to transparency, the Python Security Response Team is poised to keep the Python ecosystem safe for years to come.
Related Articles
- Go Team Launches 2025 Developer Survey: Feedback to Shape Future of Language
- Securing .NET AI Agents: How the Agent Governance Toolkit Enforces Policy on MCP Tool Calls
- 4 Essential Updates in the November 2025 Python VS Code Release
- Mastering Email Delivery on Cloud Platforms: Overcoming SMTP Blocks with Brevo's HTTP API
- Crafting Type-Safe LLM Agents: A Step-by-Step Guide with Pydantic AI
- The 6 Core Reasons Python Apps Are So Hard to Ship as Standalone
- JDBC: The Unsung Hero of Java Database Access Gets a Deep-Dive Series
- 5 Essential Governance Checks for MCP Tool Calls in .NET