Python Security Response Team Overhauls Governance, Onboards First New Member Since 2023

Breaking: Python Security Response Team Adopts New Governance, Welcomes First Non-Release Manager Member

The Python Security Response Team (PSRT) has approved a landmark governance document (PEP 811) formalizing its structure, roles, and membership processes. This move aims to balance security needs with long-term sustainability.

Jacob Coffee, the Python Software Foundation's Infrastructure Engineer, has become the first new member to join the PSRT who is not a Release Manager since Seth Larson's arrival in 2023. The onboarding process outlined in PEP 811 facilitated his inclusion.

"This governance framework is critical for ensuring the PSRT can scale effectively as the Python ecosystem grows," said Seth Larson, Security Developer-in-Residence at the Python Software Foundation. "We now have clear responsibilities, a transparent membership list, and a sustainable way to bring in new talent."

Background: The Role and Challenges of the Python Security Response Team

The PSRT is responsible for triaging and coordinating vulnerability reports and remediations for CPython and pip. In 2023 alone, the team published 16 advisories — the highest number in a single year.

Security work often goes unrecognized compared to code contributions. The new governance ensures that reporters, coordinators, and remediation developers receive proper credit in CVE and OSV records via GitHub Security Advisories.

Alpha-Omega has supported this work by sponsoring Seth Larson's position as Security Developer-in-Residence. Their funding has been instrumental in advancing Python ecosystem security.

What This Means for Python Security and Sustainability

The new governance document clarifies the relationship between the Python Steering Council and the PSRT, ensuring clear lines of authority and accountability. It also defines a formal onboarding and offboarding process, making it easier to sustain the team without overburdening existing members.

"We can now involve subject-matter experts directly in remediation workflows," added Larson. "This ensures fixes respect existing APIs, threat models, and long-term maintainability." For example, the recent PyPI ZIP archive differential attack mitigation required close coordination with multiple open source projects — a process now better supported by the PSRT's structure.

How to Join the Python Security Response Team

Interested contributors can be nominated by an existing PSRT member. The nomination must receive at least two-thirds positive votes from current members. You do not need to be a core developer or Release Manager to qualify.

"We're looking for diverse expertise," said Jacob Coffee, the newest PSRT member. "If you have security experience and a passion for Python, we want you." The team expects more members to join soon, further bolstering sustainability.

Future Improvements and Recognition

Seth Larson and Jacob Coffee are developing workflows to automatically record reporter, coordinator, and remediation contributors in CVE and OSV records. This will ensure proper attribution for behind-the-scenes security work — a step toward celebrating contributions that often go unnoticed.

For more details, see the PEP 811 governance document and the official PSRT page.