Your Guide to Joining the Python Security Response Team: Steps, Requirements, and Best Practices

By

Overview

The Python Security Response Team (PSRT) is the group responsible for triaging and coordinating vulnerability reports and remediations for the Python ecosystem. Their work keeps millions of Python users safe by ensuring that security issues in CPython, pip, and other core components are handled promptly and professionally. Thanks to the efforts of the Security Developer-in-Residence (Seth Larson) and support from the Alpha-Omega project, the PSRT recently adopted a formal governance document (PEP 811). This new charter brings transparency with a public list of members, documented roles for both members and administrators, and a clear process for onboarding and offboarding. It also clarifies the relationship between the PSRT and the Python Steering Council.

In 2023, the PSRT published 16 vulnerability advisories for CPython and pip—the highest number in a single year. The team works closely with project maintainers and experts to ensure that fixes adhere to existing API conventions, threat models, and are sustainable long-term. They also coordinate with other open-source projects when a vulnerability affects multiple projects, as seen with the PyPI ZIP archive differential attack mitigation.

This guide walks you through everything you need to know about joining the PSRT: the prerequisites, the step-by-step nomination process, common mistakes to avoid, and what to expect as a new member.

Prerequisites

Who Can Apply?

You do not need to be a CPython core developer, a triager, or a maintainer of any specific project. The PSRT welcomes individuals with security experience from diverse backgrounds. However, you must be nominated by an existing PSRT member. There is no self-nomination process.

What Skills Are Helpful?

While not strictly required, the following attributes increase your chances of being nominated and successfully contributing:

• Security vulnerability handling: Understanding of responsible disclosure, CVEs, embargoes, and coordinated releases.
• Python ecosystem knowledge: Familiarity with CPython internals, pip, PyPI, and common Python security issues (e.g., sandbox escapes, buffer overflows, dependency confusion).
• Strong communication and discretion: Much of the work happens privately, requiring discretion and clear written communication.
• Active participation: Contributing to Python security discussions, bug reports, or patches demonstrates your commitment and expertise.

What About Experience Level?

There is no minimum experience requirement, but most members have a track record of involvement in the Python community, either through code contributions, security research, or participation in the Python Security Response Team's mailing list or issue tracker.

Step-by-Step Instructions

1. Engage with Python Security Work

Before you can be nominated, you need to be noticed. This means actively contributing to the security of the Python ecosystem. Ways to do this include:

• Reviewing security-related issues and pull requests on CPython and pip repositories.
• Submitting responsible vulnerability reports through the Python security reporting process.
• Participating in public discussions on the python-security mailing list or in the Python Discourse Security category.
• Contributing patches or mitigations for known vulnerabilities.

2. Build Relationships with Current PSRT Members

The nomination process relies on existing members being familiar with your work. Engage respectfully with team members in public forums, attend Python security-related sprints or conferences (e.g., PyCon US), and offer to help with tasks such as testing embargoed patches or drafting advisory summaries. Building trust takes time, so be patient.

3. Get Nominated

An existing PSRT member must formally nominate you. This typically happens after the member has observed your contributions and believes you would be a valuable addition to the team. The nomination is submitted to the PSRT membership list.

4. The Vote

Once a nomination is submitted, all current PSRT members vote. For you to be accepted, your nomination must receive at least ⅔ (two-thirds) positive votes from the current members. This threshold ensures that new members have broad consensus, maintaining team cohesion and security culture.

5. Onboarding

If the vote is successful, you will be onboarded according to the new documented process (per PEP 811). This includes:

• Receiving access to the PSRT's private mailing list, security tracker, and shared documentation.
• Reviewing the team's responsibilities, coordination guidelines, and embargo policies.
• Shadowing a senior member for the first few vulnerability reports before handling cases independently.
• Being added to the public list of PSRT members on the Python website.

Example: Jacob Coffee's onboarding – Jacob, the PSF Infrastructure Engineer, was the first non-Release Manager to join since Seth Larson in 2023. His successful onboarding demonstrates that the new process is working. You can review the public member list to see who is currently on the team.

Common Mistakes

Mistake 1: Trying to Nominate Yourself

The process explicitly requires an existing member to nominate you. Asking someone directly to nominate you may be seen as pushy. Instead, focus on demonstrating your value.

Mistake 2: Expecting Immediate Membership

Security teams are cautious by nature. The vetting process can take weeks or even months. Do not be discouraged if a nomination doesn't appear quickly after you start contributing.

Mistake 3: Ignoring the Steering Council Relationship

The PSRT works under the oversight of the Python Steering Council. Understand that the team must balance security with project governance. Not respecting that balance can harm your candidacy.

Mistake 4: Lack of Discretion

Discussing non-public vulnerabilities publicly before they are patched is a serious breach of trust. Always follow the responsible disclosure guidelines. Even after joining, maintain confidentiality.

Mistake 5: Thinking You Need to Be a Core Developer

Many assume only core developers can join the PSRT. This is false. The team values security expertise over code commit rights. Some members are solely focused on vulnerability coordination and do not write CPython code.

Summary

The Python Security Response Team has evolved into a more transparent and sustainable body thanks to PEP 811. Joining the PSRT is now a structured process: engage with security work, get to know current members, receive a nomination, pass a ⅔ majority vote, and complete an onboarding program. You do not need to be a core developer, but you do need a genuine interest in Python security and a willingness to work behind the scenes. With the team's renewed governance, new members like Jacob Coffee are already contributing—and you could be next. Start today by getting involved in the Python security community and making your mark.

Related Articles

• Modernize Your Go Code with the New go fix: A Step-by-Step Guide
• Bridging the Gender Gap: Addressing Bias in AI-Powered Personal Finance
• Mastering the Factory Method Pattern in Python: A Practical Guide
• Why Domain Expertise Remains Critical in the Age of AI-Assisted Development
• Python 3.15.0 Alpha 3: Early Preview Introduces Statistical Profiler and UTF-8 Default Encoding
• How to Automate Your Code Analysis with GitHub Copilot Agents
• Python 3.15.0 Alpha 5: An Extra Release With Major New Features
• Rethinking Imaging System Design: The Power of Information Theory