Becoming a Member of the Python Security Response Team: A Step-by-Step Guide

Overview

The Python Security Response Team (PSRT) is the front line of defense for the Python ecosystem. Composed of dedicated volunteers and paid Python Software Foundation staff, the PSRT triages, coordinates, and publishes vulnerability advisories for CPython, pip, and other critical projects. In 2024 alone, the team published 16 advisories—the most in a single year—demonstrating its growing importance.

Recent governance changes, formalized in PEP 811, have brought transparency and sustainability to the team. The PEP defines a public membership list, documented responsibilities for members and admins, and a clear onboarding/offboarding process. This new structure balances the need for security (keeping sensitive work confidential) with sustainability (ensuring the team can grow and retain talent).

One early success of this process is the addition of Jacob Coffee, the PSF Infrastructure Engineer, as the first non-Release Manager member since 2023. This guide will walk you through how you can potentially join their ranks—whether you’re a core developer, a triager, or an external security expert.

Support from the Alpha-Omega project has made this work possible by sponsoring Seth Larson’s role as Security Developer-in-Residence at the Python Software Foundation.

Prerequisites

Before you start the journey toward PSRT membership, ensure you meet these baseline requirements:

• An existing PSRT member must nominate you. You cannot self-nominate. This ensures every candidate has a sponsor who can vouch for their expertise and trustworthiness.
• You do not need to be a core developer, team member, or triager. The PSRT values diverse skills—security research, infrastructure, cryptography, even legal or policy expertise.
• Familiarity with Python’s security processes (e.g., vulnerability disclosure, CVE reporting, GitHub Security Advisories) is highly recommended but not strictly required.
• A strong track record of responsible disclosure or security contributions to the Python ecosystem (open source or previous coordinated disclosures).
• Commitment to the PSRT’s core responsibilities: triaging reports, coordinating with project maintainers, and maintaining confidentiality.

If you meet these, you’re ready for the next step. Skip to the step-by-step instructions.

Step-by-Step Instructions

Step 1: Build a Security Reputation

PSRT members are not chosen randomly. They are people who have demonstrated a commitment to Python security. Start by:

• Reporting vulnerabilities responsibly (use security@python.org or GitHub advisories).
• Contributing fixes or patches for security issues.
• Engaging with the Python security community via the PSF Security Discourse or #security channel on the Python Discord.

Step 2: Get Noticed by a Current PSRT Member

You can’t nominate yourself. Instead, let your work speak. Contribute to projects like CPython, pip, or PyPI. Attend security-related sprints. Write blog posts or tools that help the ecosystem. When a PSRT member sees your consistent, high-quality work, they may approach you about nomination.

Step 3: Receive a Nomination

Once a PSRT member decides to sponsor you, they will formally nominate you according to the PEP 811 process. The nomination includes a justification explaining your qualifications and why you would be a good fit. This is shared privately with the entire PSRT.

Internal note: The PSRT encourages nominators to involve potential candidates early in the process to confirm interest and availability.

Step 4: Voting Phase

After the nomination, a private vote is held among all current PSRT members. To pass, you need at least ⅔ (two-thirds) positive votes. The vote remains open for a set period (defined in PEP 811). No tie-breaking rules are needed because the threshold is high enough to ensure consensus.

Example vote scenario: If the PSRT has 9 members, at least 6 must vote in favor. Abstentions are not counted as votes, so the pool may be smaller.

Step 5: Onboarding

If the vote succeeds, you enter the onboarding phase. New members receive:

• Access to private communication channels (e.g., PSRT mailing list, secure chat).
• Documentation of responsibilities (triaging, coordinating, publishing advisories).
• Briefing on existing workflows like GitHub Security Advisories for tracking reporters, coordinators, and remediation developers.
• Mentorship from an experienced PSRT member during your first few vulnerability cases.

Step 6: Start Contributing

Once onboarded, you can begin handling vulnerability reports. Your first tasks might include:

• Triaging incoming advisories to verify reproducibility and severity.
• Coordinating with project maintainers to create patches.
• Drafting CVE records and OSV entries that credit all contributors (including reporters and reviewers).

The PSRT often works with external experts to ensure fixes respect API conventions, threat models, and maintainability—so you’ll never be alone.

For a deeper dive into the technical workflows, see the Common Mistakes section below to avoid pitfalls.

Common Mistakes

Mistake 1: Believing You Must Be a Core Developer

The original text explicitly states: “You do not need to be a core developer, team member, or triager.” Many skilled security researchers wrongly assume they’re ineligible. Bring your unique background—whether it’s from web security, cryptography, or infrastructure—and apply.

Mistake 2: Ignoring the Nomination Requirement

Self-nominations are not accepted. Reaching out directly to a PSRT member and asking to be nominated can work, but it’s far better to let your contributions speak for themselves. A member who has seen your work is more likely to sponsor you.

Mistake 3: Underestimating the Time Commitment

Being on the PSRT is not a passive role. Vulnerability reports can appear suddenly, requiring urgent triage and coordination. You must be responsive and available, especially during embargo periods. The PSRT values sustainability—members are expected to communicate their capacity limits—but a certain baseline commitment is assumed.

Mistake 4: Sharing Confidential Information Too Early

Security work requires discretion. New members sometimes inadvertently share details of undisclosed vulnerabilities with non-members, which can lead to premature disclosure. Follow the responsible disclosure guidelines strictly until an advisory is published.

Mistake 5: Neglecting to Credit Contributors

The PSRT now uses improved workflows (via GitHub Security Advisories) to record every participant—reporter, coordinator, developer, reviewer. Failing to add proper credit can harm relationships and reduce future willingness to report vulnerabilities. Always verify the CVE and OSV records include all parties.

Summary

The Python Security Response Team is stronger than ever thanks to PEP 811’s governance overhaul. The path to membership is transparent: build a reputation, get nominated by an existing member, pass a ⅔ vote, and complete onboarding. The team values diverse expertise and does not require you to be a core developer.

If you’re passionate about Python security and ready to contribute to the health of the ecosystem, start engaging with the community today. Your first step might be a small vulnerability report—one that, in time, leads to a nomination and a seat at the table.

Need more details? Read PEP 811 for the full governance document, or reach out to the PSF Security team via their public channels. The future of Python security depends on committed individuals like you.