How to Become a Member of the Python Security Response Team

Introduction

The Python Security Response Team (PSRT) plays a critical role in keeping the Python ecosystem safe. Thanks to the recent approval of PEP 811—a public governance document championed by Security Developer-in-Residence Seth Larson—the team now operates with greater transparency and sustainability. A public member list, documented responsibilities, and a defined onboarding process ensure the PSRT can balance security needs with long-term team health. This new structure is already yielding results: Jacob Coffee, the PSF Infrastructure Engineer, recently became the first non–Release Manager member since Seth joined in 2023. If you have the skills and passion to help triage and coordinate vulnerability reports for CPython and pip, here’s how you can join the PSRT and contribute to a safer Python ecosystem.

What You Need

Before you begin the nomination process, ensure you meet these prerequisites:

• A nominator from within the existing PSRT – You cannot self-nominate; you need an existing PSRT member to sponsor you.
• Support of at least two‑thirds of current PSRT members – Your nomination must receive a positive vote from at least ⅔ of the team.
• No requirement to be a core developer or triager – The PSRT values diverse backgrounds. You don’t need to be a CPython core developer, a team maintainer, or a triager to be considered.
• Relevant experience (helpful, not required) – While not mandatory, experience in security, vulnerability handling, or open source project maintenance strengthens your application.
• Commitment to sustainability and collaboration – The PSRT involves project maintainers and experts in remediations to maintain API conventions and long-term maintainability.

Step-by-Step Guide

1. Understand the PSRT’s role and responsibilities. The PSRT is responsible for triaging, coordinating, and publishing vulnerability advisories for CPython, pip, and other critical projects. Last year alone, the team issued 16 advisories—the most in a single year. Members work closely with affected project maintainers and, when needed, coordinate with other open source projects to avoid ecosystem‑wide surprises (e.g., the recent PyPI ZIP archive differential attack mitigation). Review the PEP 811 governance document to understand defined duties for members and admins.
2. Build a relationship with the community. Active participation in Python security discussions, bug bounties, or related mailing lists helps you become known to current PSRT members. Consider contributing to security improvements, filing detailed vulnerability reports, or assisting with existing advisories. The PSRT especially values those who demonstrate a collaborative spirit and willingness to involve domain experts.
3. Find a PSRT member to nominate you. Approach an existing PSRT member who is familiar with your work. The nomination process mirrors the Core Team nomination process. Discuss your interest, share your relevant experience, and ask if they would sponsor your nomination. It helps to have a clear track record of responsible disclosure, patch reviews, or security tooling.
4. Prepare your nomination packet. Though not a formal requirement, a brief summary of your contributions (e.g., past vulnerability reports, CVEs addressed, participation in security audits) can help the team evaluate your fit. Be ready to explain how you will support the team’s sustainability goals and the balance between security and project stability.
5. The nomination and voting process. Once a PSRT member nominates you, the team votes. You need at least two‑thirds positive votes from all current members. If accepted, you will be onboarded as a new member. The governance document now ensures a smooth transition, including documented steps for adding members to the public list.
6. Onboard and integrate into the team. After joining, you’ll participate in ongoing workflows, such as handling GitHub Security Advisories. The PSRT uses these advisories to record reporters, coordinators, and remediation developers—ensuring proper credit in CVE and OSV records. This recognition is just as important as contributions to source code. Expect to collaborate with the Python Steering Council as needed.
7. Contribute and grow sustainably. The PSRT encourages members to involve project maintainers and experts directly in remediations to ensure fixes align with API conventions, threat models, and existing use cases. You’ll also help coordinate cross‑project advisories when a vulnerability affects multiple ecosystems. Your work will be publicly acknowledged, and you’ll help enhance the sustainability of Python security efforts.

Tips for Success

• Start small. Even if you’re not a cryptographer, you can contribute by triaging reports, documenting processes, or testing patches. The PSRT values all skills.
• Network within the Python community. Attend Python Security response meetings, join the security‑announce list, and engage with the PSF Infrastructure team. Jacob Coffee’s path shows that infrastructure engineers bring valuable perspectives.
• Emphasize collaboration. The PSRT’s strength lies in involving experts from various projects. Highlight your ability to work across teams and communicate effectively about vulnerabilities.
• Stay informed. Follow PEPs related to security (e.g., PEP 811) and watch for updates to the governance model. Understanding the relationship between the Steering Council and the PSRT will help you navigate team dynamics.
• Celebrate the work. Security contributions often happen behind the scenes. The PSRT is developing better ways to credit everyone involved—from reporter to fixer. Don’t hesitate to advocate for recognition of your teammates.
• Be patient. The nomination and voting process may take time. Use that period to continue building your security expertise and visibility within the Python ecosystem.

Joining the Python Security Response Team is a rewarding way to protect millions of users. With the new governance structure, the path to membership is clearer than ever. If you’re passionate about Python security and ready to collaborate on critical vulnerabilities, follow these steps and become part of the team that keeps Python safe.