Overview
The Python Security Response Team (PSRT) is the backbone of vulnerability management for the Python ecosystem. Thanks to the dedicated work of volunteers and paid staff—including the Security Developer-in-Residence Seth Larson—the team recently adopted a formal governance document (PEP 811). This document outlines a transparent membership roster, clear responsibilities for members and administrators, and a structured onboarding and offboarding process. The new governance also defines how the PSRT interacts with the Python Steering Council.
The process is already bearing fruit: Jacob Coffee, the PSF Infrastructure Engineer, became the first non–"Release Manager" member to join since Seth in 2023. More recruits are expected, bolstering the sustainability of security work for the Python language. This tutorial walks you through exactly how you can become part of this vital team.
Prerequisites
Understanding the Role
PSRT members triage and coordinate vulnerability reports, develop remediation strategies, and publish advisories. Last year alone, the team released 16 advisories for CPython and pip—the highest annual count ever. Coordinators often bring in project maintainers and experts to ensure fixes adhere to existing API conventions, threat models, and long-term maintainability.
Required Qualities
- Trustworthiness – You'll handle sensitive, embargoed information.
- Technical competence – Familiarity with Python internals or ecosystem tools is helpful but not mandatory.
- Availability – Timely response to security reports is critical.
- Collaboration skills – You'll work with core developers, downstream projects, and sometimes other open-source communities.
No Core Developer Status Needed
You do not need to be a core developer, triager, or even a formal team member of any CPython project. What matters is your ability to contribute effectively to the security mission.
Step-by-Step Instructions
Step 1: Get Involved and Build a Track Record
Before seeking nomination, immerse yourself in Python security work. Report vulnerabilities responsibly, contribute to existing security discussions on the Python Discourse, or help improve security tooling. Active, visible contributions make it easier for an existing PSRT member to justify your nomination.
Example: If you discover a potential security issue in a popular library, follow the coordinated disclosure guidelines on the Python Security page. Document your findings and share them appropriately with the maintainers.
Step 2: Find a Nominator from Existing PSRT Members
The nomination process mirrors the Core Team nomination model. You need an existing PSRT member to nominate you. No public list of members is required (the team now publishes one per PEP 811, but you can approach members through public channels like the Security SIG mailing list).
Tip: Engage with PSRT members at conferences (PyCon, EuroPython), on GitHub, or via the security@python.org mailing list. Demonstrate your interest and competence.
Step 3: The Nomination Process
Once a member agrees to nominate you, they will submit a formal nomination to the PSRT private mailing list. The nomination should highlight your relevant experience, contributions, and suitability. The team then discusses the nomination in a private channel.
Key detail: The entire process is confidential to protect candidates and maintain security posture.
Step 4: Voting and Approval
After discussion, existing PSRT members vote. At least two-thirds (⅔) positive votes are required for approval. Abstentions are counted but do not affect the threshold. The vote remains open for a defined period (typically one week).
Code-like detail: The voting mechanism uses a simple ballot: each member votes "yes," "no," or "abstain." The formula is: approval = (yes_votes >= (total_eligible_voters * 2/3)). If the threshold is met, the nomination passes.
Step 5: Onboarding and Becoming Active
If approved, you'll receive an onboarding package that includes access to private repositories, communication channels, and training materials. You'll shadow a current member handling a disclosure. Your responsibilities gradually increase.
The PSRT also maintains a checklist to avoid common pitfalls (see next section).
Common Mistakes
- Underestimating time commitment – Security work can be urgent and unpredictable. Ensure you have bandwidth before seeking membership.
- Thinking you need to be a core developer – Many valuable contributions come from outside the core team. Don't let this misconception hold you back.
- Expecting immediate membership – The process can take months from initial engagement to final vote. Patience is key.
- Ignoring governance changes – PEP 811 is now the governing document. Familiarize yourself with it before seeking nomination.
- Not having a nominator lined up – Your first step should be networking within the security community, not submitting an unsolicited application.
Summary
The Python Security Response Team is more accessible than ever thanks to the new governance under PEP 811. You don't need to be a core developer—just a dedicated, trustworthy individual with a passion for security. The path involves building a track record, finding a PSRT member to nominate you, passing a two-thirds vote, and completing onboarding. By joining, you'll help protect millions of Python users worldwide and ensure the ecosystem remains resilient. Start engaging with the Python security community today!