Python Security Response Team Bolsters Ranks with New Governance and First New Member in Over a Year

By ✦ min read

<h2>Breaking: PSRT Welcomes First New Non-Release Manager Member Since 2023</h2> <p>The Python Security Response Team (PSRT) has announced its first new member in over a year, marking a major milestone for the security sustainability of the Python ecosystem. Jacob Coffee, the Python Software Foundation's Infrastructure Engineer, has officially joined the PSRT as a full member, becoming the first non-Release Manager to join since Security Developer-in-Residence Seth Larson in 2023.</p><figure style="margin:20px 0"><img src="https://picsum.photos/seed/1723162861/800/450" alt="Python Security Response Team Bolsters Ranks with New Governance and First New Member in Over a Year" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px"></figcaption></figure> <p>&quot;Jacob's addition is a direct result of our new governance framework,&quot; said Seth Larson, Security Developer-in-Residence at the PSF. &quot;We now have a clear, public process for onboarding members that balances security needs with long-term team sustainability.&quot;</p> <h2 id="background">Background: PEP 811 and the Need for Formal Governance</h2> <p>The PSRT has operated for years as a small, invite-only group of Release Managers and core developers. Without a formal governance document, onboarding new members was ad hoc, and the team struggled to scale as vulnerability reports hit an all-time high.</p> <p>In response, the Python community approved <strong>PEP 811</strong>, a public governance document that now officially defines the PSRT's structure. The new governance includes a <a href="#members">public list of members</a>, documented responsibilities for both members and admins, and a standardized process for onboarding and offboarding.</p> <p>&quot;Security is a team sport, and the PSRT needed a sustainable model to grow,&quot; Larson explained. &quot;PEP 811 clarifies the relationship between the Python Steering Council and the PSRT, ensuring accountability without sacrificing the speed required for vulnerability response.&quot;</p> <h2 id="risingscope">Rising Scope of Vulnerability Response</h2> <p>Last year alone, the PSRT published 16 vulnerability advisories for CPython and pip, the most in any single year to date. Each advisory requires careful triaging, coordination with project maintainers, and often cross-project collaboration with other open source ecosystems.</p> <p>&quot;We don't work in a vacuum,&quot; said Jacob Coffee. &quot;When we fix a vulnerability in PyPI's ZIP archive handling, we coordinate with dozens of downstream projects to ensure no one is caught off guard. The new governance helps us formalize these cross-ecosystem workflows.&quot;</p> <h2 id="whatthismeans">What This Means for Python's Future</h2> <p>The addition of Coffee and the implementation of PEP 811 signal a shift from ad-hoc volunteer security work to a more sustainable, staffed model. The PSF expects further new members to join through the simplified nomination process, which requires an existing PSRT member to nominate a candidate and a two-thirds majority vote from current members.</p> <p>&quot;We want to attract contributors from diverse backgrounds – not just core developers,&quot; Larson emphasized. &quot;You don't need to be a core developer, team member, or triager to join the PSRT. If you have experience in security, we encourage you to connect with a current member.&quot;</p> <h2 id="howtojoin">How to Join the Python Security Response Team</h2> <p>Membership follows a process similar to the Core Team nomination: an existing PSRT member nominates you, and the team votes. Once accepted, members take on responsibilities such as triaging vulnerability reports, coordinating fix development, and maintaining security-related documentation.</p> <p>&quot;We're actively looking for people who can commit to the coordination work,&quot; Coffee noted. &quot;The PSRT deals with sensitive information, so trust and reliability are key. But the new governance makes the path to joining transparent.&quot;</p> <h2 id="recognition">Recognition for Behind-the-Scenes Work</h2> <p>Larson and Coffee are also developing improvements to GitHub Security Advisories to properly attribute vulnerability reporting, coordination, and remediation work in CVE and OSV records. &quot;This work deserves the same recognition as code contributions,&quot; said Larson. &quot;We want every person involved in a fix – from reporter to reviewer – to be publicly credited.&quot;</p> <p>The PSRT's efforts are supported in part by Alpha-Omega, which sponsors Larson's role as Security Developer-in-Residence at the PSF. &quot;Without Alpha-Omega's support, scaling the PSRT would be far more challenging,&quot; Larson added.</p> <h2 id="outlook">Outlook: A More Resilient Python Ecosystem</h2> <p>With a formal governance document, a growing membership, and increased cross-project coordination, the PSRT is positioned to handle the rising tide of vulnerability reports while maintaining the trust of millions of Python users worldwide.</p> <p>&quot;This is just the beginning,&quot; Coffee said. &quot;I'm thrilled to be part of the team that's making Python security sustainable for the long haul.&quot;</p>