Python Security Response Team Adopts Transparent Governance, Onboards First New Member

<p>The Python Security Response Team (PSRT) has achieved a milestone by approving a public governance document (PEP 811) and onboarding its first new non-Release Manager member since 2023, the Python Software Foundation announced today. This reform aims to bolster the sustainability of security work for the Python programming language.</p><p><strong>Jacob Coffee</strong>, the PSF Infrastructure Engineer, has joined the PSRT under the new onboarding process. “This governance framework ensures we can scale security efforts without overburdening volunteers,” said Seth Larson, Security Developer-in-Residence at the PSF. “Adding Jacob is a great first step.”</p><h2 id="background">Background</h2><p>The PSRT is responsible for triaging and coordinating vulnerability reports for CPython, pip, and the broader ecosystem. Before PEP 811, the team operated without a public charter, making membership criteria opaque and creating sustainability risks.</p><figure style="margin:20px 0"><img src="https://picsum.photos/seed/331248218/800/450" alt="Python Security Response Team Adopts Transparent Governance, Onboards First New Member" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px"></figcaption></figure><p>PEP 811 now mandates a public member list, defined roles for admins and coordinators, and a formal onboarding and offboarding process. It also clarifies the PSRT’s relationship with the Python Steering Council. This reform was driven by Larson, whose role is sponsored by the <strong>Alpha-Omega Project</strong>. “Their support was essential for making this happen,” he said.</p><h2 id="what-this-means">What This Means</h2><p>With transparent governance, the PSRT can attract more contributors and distribute workload more evenly. The team published a record 16 advisories for CPython and pip last year alone, and frequently coordinates with other open-source projects—for instance, the recent PyPI ZIP archive differential attack mitigation.</p><p>“Involving subject-matter experts directly during remediation ensures fixes respect existing APIs and threat models,” Larson explained. “This minimizes disruption while maintaining long-term security.” New workflows are being developed to credit reporters and fixers in CVE and OSV records, recognizing their private contributions.</p><h2 id="how-to-join">How to Join the PSRT</h2><p>Membership is open beyond core developers. Any contributor can be nominated by an existing PSRT member, followed by a vote requiring at least two-thirds approval from current members. The process mirrors the Core Team nomination system. “We welcome diverse expertise,” Larson added.</p><p>The foundation expects additional members to join soon, further strengthening Python’s security posture. For details, see the full PEP 811 document.</p>