Strengthening Python Security: Inside the New PSRT Governance and How You Can Contribute
Introduction
Security in open source doesn't happen by magic—it requires dedicated individuals and clear structures. The Python Security Response Team (PSRT) has taken a major step forward by formalizing its operations through a newly approved governance document, PEP 811. This change brings transparency, sustainability, and a clear path for new members to join the team. Here’s what’s new and how you can get involved.
PEP 811: A New Framework for Python Security
Thanks to the efforts of Seth Larson, the Security Developer-in-Residence at the Python Software Foundation (PSF), the PSRT now operates under a public governance document known as PEP 811. This document outlines the team's structure, responsibilities, and processes. For the first time, the PSRT publishes a public list of its members, documents the duties of members and admins, and establishes a formal onboarding and offboarding procedure. This ensures the team can balance the critical needs of security with long-term sustainability.
The governance also clarifies the relationship between the Python Steering Council and the PSRT, providing both teams with clear expectations and boundaries.
Onboarding in Action: Jacob Coffee Joins the Team
The new onboarding process is already bearing fruit. Jacob Coffee, the PSF Infrastructure Engineer, has become the first new non-Release Manager member to join the PSRT since Seth Larson joined in 2023. This is a significant milestone, demonstrating that the governance framework works as intended. We expect more members to follow, further strengthening the sustainability of Python’s security efforts.
What Does the PSRT Actually Do?
Security doesn’t happen by accident. The PSRT, composed of volunteers and paid PSF staff, triages and coordinates vulnerability reports and remediations. This work keeps all Python users safe. In the past year alone, the PSRT published 16 vulnerability advisories for CPython and pip—a record high in a single year.
The PSRT rarely works in isolation. Coordinators actively involve maintainers and domain experts in the remediation process. This collaboration ensures fixes adhere to existing API conventions, respect threat models, remain maintainable in the long term, and minimize disruption to users. Sometimes the team coordinates with other open source projects—such as the recent PyPI ZIP archive differential attack mitigation—to prevent widespread ecosystem impact.
Celebrating Behind-the-Scenes Work
Security contributions often go unnoticed because they happen behind closed doors. Seth Larson and Jacob Coffee are developing improvements to how GitHub Security Advisories record contributions. These changes will properly attribute reporters, coordinators, remediation developers, and reviewers in CVE and OSV records. This recognition is important—security work deserves the same celebration as source code or documentation contributions.
How Can You Join the PSRT?
If you’re inspired to directly help keep Python secure, the path is now clearer than ever. The process mirrors the Core Team nomination process. You need an existing PSRT member to nominate you, and then your nomination must receive at least two-thirds positive votes from current members.
Importantly, you do not need to be a core developer, team member, or triager to join. The PSRT values diverse skills and perspectives. If you have expertise in vulnerability analysis, coordination, or secure development, you could be a valuable addition.
Support from Alpha-Omega
This progress wouldn’t be possible without the support of Alpha-Omega, which sponsors Seth Larson’s work as the Security Developer-in-Residence at the PSF. Their investment underscores the importance of dedicated security roles in open source ecosystems.
Conclusion
The PSRT is stronger than ever thanks to PEP 811, a growing team, and a transparent process. Whether you’re a seasoned security expert or someone looking to contribute to a vital open source project, the door is open. Get involved, and help us keep Python safe for everyone.
Related Articles
- How to Upgrade and Leverage New Features in Go 1.26
- Python 3.15.0 Alpha 5: A Developer Preview with Exciting New Features
- Rust Project Achieves Major Milestones: 41 Goals Completed in 2025H2, Flagships Drive Compiler and Language Evolution
- Google Opens I/O 2026 Countdown Design to Developers via AI Challenge
- 10 Critical Lessons from the SAP npm Package Attack for Modern Development Teams
- Understanding Go's Type Construction and Cycle Detection
- A Policymaker’s Guide to Reducing Online Harm While Protecting the Open Internet
- How to Manage Legacy Code and Embrace Change in Programming: A Step-by-Step Guide