How to Become a Member of the Python Security Response Team: A Step-by-Step Guide
Introduction
Keeping the Python ecosystem secure requires dedicated effort. The Python Security Response Team (PSRT) is the group responsible for triaging and coordinating vulnerability reports, issuing advisories, and ensuring fixes are implemented smoothly. Thanks to recent governance improvements (PEP 811), led by Security Developer-in-Residence Seth Larson, the PSRT now has a transparent membership process. This guide walks you through how to join the team and contribute to Python's security — just like Jacob Coffee, the PSF Infrastructure Engineer, who became the first non-Release Manager member since 2023.
What You Need to Get Started
- Nomination by an existing PSRT member: You cannot apply directly; you need a sponsor from within the team.
- No requirement to be a core developer or triager: Security skills or domain expertise are valued over formal roles.
- Experience or interest in security: Familiarity with vulnerability handling, CVEs, or open-source security practices helps.
- Commitment to collaboration: You'll work with maintainers, experts, and other teams.
- Understanding of the PSRT’s responsibilities: Review the documented duties in PEP 811.
Step-by-Step How to Join the PSRT
Step 1: Learn About the PSRT and Its Work
Before seeking membership, you must understand what the PSRT does. The team handles vulnerability reports for CPython, pip, and related projects. They coordinate with maintainers, issue advisories, and sometimes collaborate with other open-source projects (e.g., the recent PyPI ZIP archive differential attack mitigation). In 2023 alone, they published 16 advisories—a record. Read the official governance document (PEP 811) to grasp the team's structure, member responsibilities, and relationship with the Python Steering Council.
Step 2: Build Relevant Skills and Reputation
While you don't need to be a core developer, you should demonstrate security expertise. Contribute to Python security by reporting bugs, participating in discussions on the Python Security Tracker or Discourse, or helping with vulnerability triage. Seth Larson and Jacob Coffee are improving workflows for GitHub Security Advisories to track contributions—get familiar with those tools. Your visibility and trustworthiness matter because nominations come from existing members.
Step 3: Find a PSRT Member to Nominate You
Approach an existing PSRT member who knows your work. If you’ve collaborated on security issues or contributed to Python’s security processes, that’s a natural connection. The nomination process is similar to the Core Team nomination system. Your sponsor will vouch for your skills and dedication. If you don’t know a member, consider attending PSF events, engaging in security-related Python PEPs, or contributing to the psf-salt infrastructure projects.
Step 4: Submit Your Nomination
Once a PSRT member agrees to nominate you, they will present your candidacy to the team. The nomination should highlight your relevant experience, such as past vulnerability handling, security audits, or coordination work. The PSRT now maintains a public list of members and has a formal onboarding process, so transparency is key.
Step 5: Obtain a Two-Thirds Positive Vote
The PSRT votes on nominations via a private ballot. You need at least two-thirds of existing members to approve. This ensures the team remains cohesive and trusted. If you have a strong record, the vote should be positive. After approval, you’ll be officially added to the PSRT roster.
Step 6: Complete Onboarding and Understand Your Responsibilities
As a new member, you’ll be briefed on PSRT procedures, communication channels (e.g., private mailing lists, security issue trackers), and administrative duties. You’ll learn how to coordinate with project maintainers, manage CVEs, and use GitHub Security Advisories to properly credit reporters, coordinators, and remediation developers. This step ensures you can handle sensitive security work responsibly.
Step 7: Actively Participate and Contribute
Once onboard, your main role is to help triage vulnerabilities and coordinate fixes. You’ll work alongside other PSRT members, often bringing in subject-matter experts from the core development team or individual projects. Collaboration ensures that patches adhere to API conventions and threat models, are maintainable, and minimize user impact. Remember, security work deserves recognition—Seth and Jacob are building systems to automate credit in CVEs and OSV records, so your contributions will be visible.
Tips for a Successful Application
- Start small: Contribute to security-related issues on CPython’s bug tracker or help with improving documentation.
- Network within the community: Attend Python conferences, join the PSF’s security‑focused Slack channels, or participate in Python Security Developer‑in‑Residence office hours.
- Show commitment: Consistent participation in vulnerability discussions or security reviews demonstrates your dedication.
- Understand the governance: Familiarity with PEP 811 and the PSRT’s relationship with the Steering Council shows you respect the process.
- Highlight collaboration: Emphasize experience working with diverse teams, especially when coordinating fixes that cross project boundaries.
- Be patient: The nomination and voting process can take time. Continue building your reputation while waiting.
Joining the PSRT is a rewarding way to protect the Python ecosystem. With the new transparent governance and support from organizations like Alpha‑Omega (which sponsors Seth Larson’s role), the team is growing. Whether you’re a security professional or a dedicated Pythonista, your expertise can make a difference.