How to Join the Python Security Response Team: A Step-by-Step Guide

Overview

The Python Security Response Team (PSRT) is the frontline defense for the Python ecosystem, handling vulnerability reports, coordinating fixes, and publishing advisories. Thanks to the efforts of Seth Larson, the Security Developer-in-Residence, the PSRT now operates under an approved public governance document (PEP 811). This new framework brings transparency: a public list of members, clearly defined responsibilities for both members and admins, and an established process for onboarding and offboarding—balancing security needs with long-term team sustainability. The PSRT’s relationship with the Python Steering Council is also formally clarified.

The modernized onboarding process is already yielding results. Jacob Coffee, the PSF Infrastructure Engineer, became the first non-Release Manager member to join the PSRT since Seth joined in 2023. More members are expected to bolster the team, ensuring the Python language remains secure for everyone.

Security doesn’t happen by accident. Last year alone, the PSRT published 16 vulnerability advisories for CPython and pip—a record high. The team often works with project maintainers and experts to ensure fixes are appropriate, maintainable, and minimally disruptive. Occasionally, they coordinate with other open source projects, as seen in the PyPI ZIP archive differential attack mitigation effort.

Recognition for security work is vital. Seth and Jacob are improving workflows using GitHub Security Advisories to record reporters, coordinators, and remediation developers in CVE and OSV records, giving proper credit to everyone involved.

If you want to directly contribute to Python’s security, this guide will walk you through the nomination and membership process.

Prerequisites

Before you seek PSRT membership, ensure you meet the following criteria:

• No core developer requirement: You do not need to be a core developer, triager, or release manager. The PSRT values diverse skills and perspectives.
• Active involvement in Python security: Familiarity with vulnerability handling, security patches, or the Python security ecosystem helps. Prior experience in security research, infrastructure, or open source security coordination is a plus.
• Nominator: You need an existing PSRT member to nominate you. Build relationships within the community—perhaps by contributing to security-related issues or discussions.
• Commitment: PSRT members volunteer their time. Being responsive and collaborative during vulnerability triage and remediation is essential.

Step-by-Step Instructions to Join the PSRT

Step 1: Understand the Governance

Read PEP 811 to understand the team’s purpose, member responsibilities, and the voting process. Knowing the rules equips you for a smooth nomination.

Step 2: Gain Visibility and Build Trust

Engage with the Python security community. Contribute to security-focused projects, participate in discussions on the Python Security Forum, or help triage issues. Demonstrating your skills and reliability increases your chance of being nominated.

Step 3: Get Nominated by an Existing Member

The nomination process mirrors the Core Team nomination process. An active PSRT member must formally nominate you. They will propose your membership to the team, typically via the private PSRT mailing list or communication channel.

Step 4: Voting Phase

Once nominated, the PSRT conducts a vote among all existing members. For your nomination to succeed, it must receive at least ⅔ (two-thirds) positive votes from the current members. Abstentions do not count as votes, but quorum rules may apply—check PEP 811 for details.

Step 5: Onboarding and Active Participation

If the vote passes, you’ll be formally added to the public list of PSRT members. You will receive onboarding materials, including access to private repositories and communication channels. Start by shadowing ongoing vulnerability reports under a mentor (often a senior member or admin). Gradually take on coordinator duties for advisories.

As a member, you are expected to:

• Triage and coordinate vulnerability reports.
• Involve maintainers and experts for fixes.
• Help maintain documentation and governance.
• Participate in team votes and discussions.

Admins have additional responsibilities like managing membership lists and representing the PSRT to the Steering Council.

Common Mistakes

• Assuming you must be a core developer: The PSRT welcomes non-core contributors. Focus on your security expertise, not your commit bit.
• Not reading PEP 811: Skipping the governance document may lead to misunderstandings about responsibilities or voting rules.
• Relying on self-nomination: You cannot nominate yourself. Cultivate relationships so a current member will support you.
• Underestimating the ⅔ vote threshold: Ensure your nominator has discussed your candidacy with the team beforehand. Surprise nominations may face resistance.
• Neglecting to build trust: Without active contributions, it’s unlikely you’ll be nominated. Engage consistently in security work.
• Confusing PSRT with other Python teams: The PSRT focuses exclusively on vulnerability handling, not code review or general development.

Summary

The Python Security Response Team is a vital part of the Python ecosystem, now operating under a transparent governance model (PEP 811). Membership is open to anyone with demonstrated security skills—no core developer status required. The pathway involves gaining a nomination, securing at least ⅔ positive votes, and completing onboarding. Recent expansions show the process works, and new members are actively contributing to Python’s security. By joining the PSRT, you help keep the language safe for millions of users worldwide.

Ready to contribute? Start by engaging with the security community, understanding the governance, and seeking a nomination from an existing member.