Introduction
Python's security doesn't happen by accident—it's the result of dedicated volunteers and staff on the Python Security Response Team (PSRT). With the recent approval of PEP 811, the PSRT now operates under a formal governance structure, including a public membership list, clear responsibilities for members and admins, and a defined onboarding and offboarding process. This guide walks you through how to become part of this critical team, from understanding the role to securing a nomination and navigating the voting process.
Whether you're a seasoned security expert or a passionate Python developer, joining the PSRT is a meaningful way to contribute to the ecosystem's safety. Let's dive in.
What You Need
Before you begin, ensure you have the following:
- A current PSRT member to nominate you – This is the single non-negotiable requirement. No self-nominations are accepted.
- Strong background in security or Python development – While not mandatory, experience with vulnerability triage, CVE coordination, or CPython internals helps. You don't need to be a core developer, but expertise is valued.
- Commitment to volunteer time – The PSRT operates on a volunteer basis (with some paid staff). Be prepared to triage reports, coordinate fixes, and communicate discreetly.
- Familiarity with Python's governance – Understanding PEPs, Steering Council roles, and security advisories (e.g., GitHub Security Advisories) is a plus.
Step-by-Step How to Join the PSRT
Step 1: Understand the Role and Responsibilities
First, get a clear picture of what the PSRT does. The team triages and coordinates vulnerability reports for CPython, pip, and related projects. They work with maintainers to ensure fixes align with API conventions, threat models, and long-term maintainability. They also coordinate with other open-source projects to minimize ecosystem shocks (e.g., the PyPI ZIP archive attack mitigation). Members are expected to handle sensitive information discreetly and collaborate with experts across the Python community.
Step 2: Build Your Security Contributions
Since nomination requires an existing PSRT member to vouch for you, start building a track record. Contribute to Python security by:
- Reporting vulnerabilities responsibly.
- Helping in GitHub Security Advisories.
- Participating in security discussions on the security@python.org mailing list.
- Attending Python security sprints or related events.
Your contributions will make you visible to current PSRT members, increasing your chances of a nomination.
Step 3: Get Nominated by a Current PSRT Member
Only PSRT members can submit nominations. Reach out to someone you've worked with or who knows your security work. The nomination process mirrors the Core Team nomination process—it's informal but requires a formal proposal. The nominating member will present your case to the team.
There is no requirement that you be a core developer, triager, or even a longstanding contributor. Enthusiasm and aptitude matter.
Step 4: Nomination Vote (Requires ⅔ Majority)
After nomination, existing PSRT members vote. You need at least two-thirds positive votes from the current membership. The exact voting procedures are defined in PEP 811. The process balances security and sustainability—no single member can block a consensus-driven decision.
If the vote passes, you move to onboarding.
Step 5: Complete the Onboarding Process
Onboarding includes understanding team workflows, tools (like GitHub Security Advisories), and communication channels. You'll learn how to coordinate with the Python Steering Council (as clarified in PEP 811) and how to handle vulnerability reports. The PSRT admins will guide you through documentation and introduce you to ongoing projects.
Recent example: Jacob Coffee, the PSF Infrastructure Engineer, became the first non-Release Manager member to join since 2023—showing that the new process works.
Step 6: Start Contributing and Collaborating
Once onboard, your work begins. You'll triage reports, coordinate with project maintainers, and sometimes collaborate with other open-source projects. Remember to involve experts when needed—they ensure fixes stay maintainable and low-impact. Also, recognize contributors: Seth Larson and Jacob Coffee are improving workflows to credit reporters, coordinators, and remediation developers in CVE and OSV records. Celebrate security contributions just like code commits!
Tips for a Successful Application
- Be patient – The nomination and voting process can take time. There's no fixed schedule; it happens when a member steps forward.
- Focus on quality over quantity – One well-handled vulnerability report can leave a better impression than many small fixes.
- Stay active in the Python security community – Subscribe to the security mailing list, attend Python events, and engage respectfully in discussions.
- Understand the balance of security and sustainability – The PSRT values long-term maintainability. Avoid pushing for heavy changes that could break existing code.
- Leverage the new governance – The public membership list and documented processes (PEP 811) mean transparency. Use them to understand who to approach for a nomination.
- Don't be discouraged if not selected – The PSRT has limited slots, and competition is growing. Keep contributing—another opportunity may arise.
Joining the PSRT is a rewarding way to make Python safer for everyone. Thanks to support from Alpha-Omega and the PSF, security work is more sustainable than ever. Good luck!