Becoming a Guardian of Python Security: A Step-by-Step Guide to Joining the Python Security Response Team

Overview

The Python Security Response Team (PSRT) is the frontline defense for the Python ecosystem. This volunteer and staff-led group triages vulnerability reports, coordinates fixes, and publishes advisories to keep millions of developers safe. In 2023 alone, the PSRT issued 16 advisories for CPython and pip—a record high—demonstrating the growing importance of structured security governance.

Thanks to Seth Larson, the Security Developer-in-Residence, the PSRT now operates under a formal governance document (PEP 811). This document introduces a transparent membership list, clear roles for members and admins, and a repeatable onboarding/offboarding process that balances security needs with team sustainability. The first member to join under this new process is Jacob Coffee, the PSF Infrastructure Engineer. He is the first non-Release Manager member since Seth himself joined in 2023.

This guide explains what the PSRT does, what prerequisites you need, and how you can become a member. Whether you’re a core developer or an outside expert, the path to joining is now clearer than ever.

Prerequisites

Before you start the nomination process, you should meet the following criteria:

• Active involvement in Python security – You don’t need to be a core developer or a release manager, but you must have a track record of contributing to Python’s security posture. This could include reporting vulnerabilities, helping with triage, or maintaining security-critical packages like cryptography or pip.
• Understanding of the PSRT’s responsibilities – Review the documented responsibilities below so you know what you’re signing up for.
• Nomination by an existing PSRT member – The process requires a sponsor from within the team. Build relationships by contributing to security discussions, attending CPython core sprints, or engaging on the python-security mailing list.
• Willingness to follow a formal process – The new governance (PEP 811) ensures fairness, but it also means your nomination must survive a vote.

Step‑by‑Step Instructions

Step 1: Understand the PSRT’s Role

The PSRT doesn’t work in isolation. Coordinators frequently involve the maintainers of affected projects, domain experts, and even other open-source communities. For example, the recent PyPI ZIP archive differential attack mitigation required coordination across multiple projects. The team also records the reporter, coordinator, and remediation developers in CVE and OSV records to ensure proper credit.

Key responsibilities (from PEP 811):

• Triage and validate vulnerability reports.
• Coordinate the development and release of fixes.
• Communicate with reporters and affected parties.
• Publish advisories and CVEs.
• Onboard and mentor new members.

Step 2: Gain Relevant Experience

While you don’t need to be a core developer, you should demonstrate security competence. Start by:

1. Contributing to CPython or pip – Fix bugs, improve documentation, or review patches related to security.
2. Reporting vulnerabilities – Use the python-security email or GitHub Security Advisories (GHSA) to responsibly disclose issues.
3. Participating in the community – Join the python-dev mailing list, attend the Python Language Summit, or engage in PEP discussions.

Example: A typical vulnerability report might look like:

Subject: [Security] Potential CVE-2024-XXXX in urllib.parse
Description: The function `urlsplit()` mishandles certain IP addresses, leading to SSRF. 
Steps to reproduce: ...

Step 3: Get Noticed by a PSRT Member

You need an existing PSRT member to nominate you. The public members list shows current members. Ways to get on their radar:

• Submit high-quality security patches or vulnerability reports.
• Offer to help with triage during a security release cycle.
• Present at a Python conference or security meetup.

Remember, the PSRT values sustainability. Demonstrating that you can handle sensitive information and work under confidential timelines is crucial.

Step 4: Begin the Nomination Process

Once a member agrees to nominate you, the process follows:

1. Nomination submission – The nominator presents your case to the team, including your contributions and why you would be a good fit.
2. Vote – All current PSRT members vote. The threshold is at least ⅔ positive votes. This ensures consensus and prevents controversial additions.
3. Onboarding – If accepted, you work with an admin to complete the onboarding checklist (e.g., signing NDAs, gaining access to private repos, and learning the tools).

Note: The process is similar to the Core Team nomination but tailored for security duties.

Step 5: After Joining – What to Expect

New members typically focus on triaging reports and assisting with fix coordination. The team uses GitHub Security Advisories for private collaboration and records everyone’s contributions in the final CVE. You’ll also help maintain the growing library of security advisories and may eventually mentor newcomers.

The PSRT encourages involving experts directly to ensure fixes respect API conventions, threat models, and backward compatibility. This collaborative model has been key to the 2023 record number of advisories.

Common Mistakes

Mistake 1: Thinking You Must Be a Core Developer

Many assume only core developers can join. In reality, the team values domain expertise over rank. Review the PEP 811 criteria: contributions can come from package maintainers, security researchers, or infrastructure engineers.

Mistake 2: Ignoring the Need for a Nomination

Some try to apply directly. The PSRT does not accept unsolicited applications. Build relationships first.

Mistake 3: Rushing the Triage Process

Once a member, some rush to push fixes. The team emphasizes careful coordination—always CC the maintainer, document rationale, and consider cross-project impact.

Mistake 4: Underestimating the Time Commitment

Security work is often urgent. Be prepared to drop what you’re doing during a critical vulnerability. The team uses a rotating schedule to balance load.

Summary

The Python Security Response Team is more transparent and welcoming than ever, thanks to PEP 811. Anyone with a demonstrated contribution to Python security can join—the key is to gain experience, get a sponsor, and survive a ⅔ vote. Once onboard, you’ll help triage vulnerabilities, coordinate with experts, and publish advisories that protect the entire ecosystem. The work is challenging but deeply rewarding, and with the new governance, the team is built to last.

Ready to start? Review the prerequisites again and engage with the community today.