10 Key Updates About the Python Security Response Team You Need to Know

Security is not an afterthought for Python. Behind the scenes, dedicated volunteers and PSF staff work tirelessly on the Python Security Response Team (PSRT) to triage vulnerabilities and keep the ecosystem safe. Recent developments—including a formal governance document, new membership processes, and fresh faces—mark a significant step forward. Here are the ten most important updates you should know.

1. The PSRT Now Has an Official Governance Charter

The adoption of PEP 811 gives the PSRT a documented governance structure for the first time. This charter defines the team's purpose, decision-making rules, and responsibilities, moving security coordination from informal practice to policy. It also clarifies how the PSRT interacts with the Python Steering Council, ensuring clear lines of authority and accountability. This formalization makes operations more transparent and sustainable.

10 Key Updates About the Python Security Response Team You Need to Know

2. Public Membership List for Greater Transparency

For the first time, the PSRT publishes a complete list of its members. Anyone can now see who is responsible for handling vulnerability reports. Alongside the list, the team has documented the specific duties of both general members and administrators. This openness builds trust with the community and makes it easier for external researchers to know whom to contact.

3. A Clear Process for Joining and Leaving the Team

The new governance defines how members are onboarded and offboarded. This structured approach balances security needs with sustainability—ensuring the team stays effective while avoiding burnout. The process includes nomination, voting, and training requirements. Offboarding procedures help manage transitions smoothly when members step down, preserving institutional knowledge and maintaining coverage.

4. First New Non-Release-Manager Member in Two Years

The onboarding process has already been put to the test. Jacob Coffee, the PSF Infrastructure Engineer, joined the PSRT in 2025 as the first member who is not a release manager since Seth Larson joined in 2023. This milestone shows the new system works and opens the door for diverse expertise—infrastructure, security research, and beyond—to strengthen the team.

5. Security Developer-in-Residence Role Drives Improvements

Seth Larson, the Python Security Developer-in-Residence, has been instrumental in pushing these changes forward. His position, funded by Alpha-Omega, focuses on improving Python's security posture full-time. Seth developed the governance document, improved workflows, and mentors new members. This dedicated role ensures continuous progress rather than relying solely on volunteer effort.

6. Alpha-Omega Sponsorship Makes It Possible

The Alpha-Omega project's support for Seth Larson's work is a critical enabler. By funding a focused security role, they help the PSRT professionalize its operations. Their investment demonstrates how industry partners can contribute to open source security without dictating direction. This model could be replicated for other Python security initiatives.

7. Record Year for Vulnerability Advisories

In 2024, the PSRT published 16 vulnerability advisories for CPython and pip—the most in a single year ever. This uptick doesn't mean Python is less secure; it reflects better reporting and faster response. The team encourages responsible disclosure and works to patch issues before they become widespread exploits. Each advisory is carefully coordinated to minimize disruption.

8. Cross-Project Coordination Protects the Ecosystem

Vulnerabilities often span multiple projects. The PSRT actively coordinates with other open source teams to ensure patches are synchronized. A recent example is the PyPI ZIP archive differential attack mitigation. By collaborating early, they prevent scenarios where a fix in one project exposes a gap in another. This holistic approach safeguards the entire Python supply chain.

9. Recognition for Private Security Contributions

Security work is often invisible. The PSRT is now integrating GitHub Security Advisories to credit reporters, coordinators, and remediation developers in CVE and OSV records. This gives proper attribution to everyone involved in private vulnerability handling. It's a step toward celebrating security contributions as much as code contributions—making the work visible and valued.

10. How You Can Join the PSRT

Interested in helping secure Python? The nomination process is similar to the Core Team system. You need an existing PSRT member to nominate you, followed by a vote requiring at least two-thirds approval from current members. Importantly, you don't have to be a core developer or release manager—expertise in infrastructure, testing, or security analysis is equally valuable. If you're passionate about Python security, start contributing to vulnerability discussions to build relationships with current members.

These ten updates show that the Python Security Response Team is evolving to become more transparent, sustainable, and effective. From governance to onboarding to cross-project coordination, the team is building a foundation that will protect Python users for years to come. Whether you're a security researcher, maintainer, or just a concerned user, these changes affect everyone in the ecosystem. Stay informed, and consider getting involved—Python's security relies on community effort.

Tags: