How to Become a Member of the Python Security Response Team

Introduction

The Python Security Response Team (PSRT) is the frontline defense for the Python ecosystem, handling vulnerability reports and coordinating fixes to keep millions of users safe. Thanks to the recent approval of PEP 811, the PSRT now operates under a public governance structure with documented responsibilities, transparent membership lists, and a clear onboarding process. This new framework—championed by Security Developer-in-Residence Seth Larson—has already welcomed its first non-Release Manager member, Jacob Coffee, the PSF Infrastructure Engineer. In this guide, you'll learn how you can join this vital team and contribute to the security of the Python programming language.

How to Become a Member of the Python Security Response Team

What You Need

Before applying, ensure you meet the following prerequisites:

An existing PSRT member to nominate you – the nomination process is similar to the Core Team nomination process.
A track record in Python security – experience with vulnerability triage, remediation, or coordinated disclosure is highly valued.
No requirement to be a core developer – you do not need to be a core developer, team member, or triager. However, you should be an active contributor to the Python ecosystem.
Commitment to sustainability – the PSRT balances security needs with resource sustainability, so willingness to volunteer time is essential.
Understanding of the PSRT’s role – familiarity with PSRT responsibilities as defined in PEP 811.

Step-by-Step Process to Join the PSRT

Step 1: Understand the PSRT’s Role and Responsibilities

Before seeking nomination, you must grasp what the PSRT does. The team triages and coordinates vulnerability reports for CPython, pip, and other Python ecosystem projects. They work with maintainers and experts to ensure fixes are secure, maintainable, and respect existing APIs. They also coordinate with other open source projects when vulnerabilities cross boundaries—like the recent PyPI ZIP archive differential attack mitigation. Key documents include PEP 811, which outlines governance, and the public list of members and responsibilities. Familiarize yourself with these to show you understand the commitment.

Step 2: Build a Strong Security Contribution Record

PSRT nominations rely on demonstrated expertise. Contribute to Python security by:

Reporting vulnerabilities through responsible disclosure channels.
Assisting in remediation efforts for open issues in CPython or pip.
Collaborating with current PSRT members on security advisories.
Participating in security discussions on the python-security mailing list or other forums.
Working on projects like PSRT workflows for GitHub Security Advisories to record reporters, coordinators, and remediation developers.

The more you contribute, the more likely a current member will recognize your value and nominate you.

Step 3: Get Nominated by a Current PSRT Member

The nomination process requires a current PSRT member to put you forward. Reach out to members you have worked with during security activities. Explain your interest and how you meet the criteria. Nomination follows the same path as the Core Team nomination process: the member will formally propose you to the PSRT. Be prepared to share your contributions and why you’d be a good fit.

Step 4: Undergo a Vote by the PSRT

Once nominated, the PSRT holds a vote. According to PEP 811, you need at least ⅔ positive votes from existing PSRT members to be accepted. This ensures the team remains cohesive and that new members are trusted with sensitive vulnerability information. The vote is conducted privately to maintain security. There is no set timeline, but you will be notified of the outcome.

Step 5: Complete Onboarding and Gain Access

After acceptance, you’ll go through a defined onboarding process documented in PEP 811. This includes:

Receiving instructions on handling vulnerability reports and coordinating disclosures.
Getting access to private repositories, mailing lists, and tools used by the PSRT.
Understanding the relationship between the PSRT and the Python Steering Council.
Being added to the public list of members.

Your onboarding may involve shadowing an existing coordinator to learn the workflow.

Step 6: Start Contributing and Help Sustain Security

Now you’re an official member! Your responsibilities include triaging reports, coordinating fixes with maintainers, publishing advisories, and ensuring proper credit is given to all contributors. The PSRT values sustainability, so you’ll help distribute workload among members. Recent improvements include recording contributions from reporters and coordinators into CVE and OSV records—recognizing everyone involved in these private yet critical contributions.

Tips for Aspiring PSRT Members

Stay engaged with the Python security community – follow the python-security list, attend Python security sprints, and contribute to discussions.
Collaborate with other open source projects – cross-ecosystem coordination is a key PSRT activity. Experience with projects like PyPI or other OSS security teams is a plus.
Document your contributions – when you help with a vulnerability, ensure your work is noted (e.g., in GitHub Security Advisories). This makes your nomination package stronger.
Learn about threat models and API conventions – fixes must be maintainable. Study how CPython and pip handle security patches.
Be patient – the PSRT is small and deliberate. Keep contributing and building relationships; the right opportunity to be nominated will come.
Recognize that contributions to security are as valuable as code – Seth and Jacob are improving workflows to credit everyone. Your work matters even if it’s invisible to the public.

By following these steps, you can help strengthen the security of the Python ecosystem and join a dedicated team that protects millions of users worldwide.

Tags: