How to Join the Python Security Response Team: A Complete Guide

Overview

Securing the Python ecosystem is no small feat. Behind the scenes, the Python Security Response Team (PSRT) works tirelessly to triage, coordinate, and resolve vulnerability reports that affect millions of users worldwide. In 2023 alone, the PSRT published a record-breaking 16 advisories for CPython and pip — the highest in a single year to date. This work is made possible by a mix of volunteers and paid staff, including the Security Developer-in-Residence position sponsored by Alpha-Omega. Recently, the team formalized its operations with PEP 811, an approved governance document that outlines membership, responsibilities, and transparent onboarding. This guide walks you through the PSRT’s structure, the role it plays, and—most importantly—exactly how you can join and contribute to this critical effort.

The PSRT doesn’t operate in isolation. It collaborates with maintainers, project experts, and even other open-source projects (like the PyPI ZIP archive differential attack mitigation) to ensure vulnerabilities are fixed without disrupting existing workflows or introducing new risks. While much of this work is confidential, the team is committed to recognizing everyone involved through improved GitHub Security Advisory workflows that capture reporters, coordinators, and remediation developers in CVE and OSV records.

Thanks to PEP 811, the team now has clear governance: a public membership list, defined roles for admins and members, a formal onboarding and offboarding process, and clarified relationships with the Python Steering Council. This new structure is already paying off—Jacob Coffee, the PSF Infrastructure Engineer, became the first non-Release Manager member since Seth Larson joined in 2023. More members are expected to follow.

Prerequisites

Before diving into the application process, make sure you meet the following prerequisites:

• Familiarity with Python security: You should have a solid understanding of common vulnerabilities (e.g., injection, buffer overflows) and how they apply to CPython, pip, or other core Python projects.
• Active involvement in the Python community: Membership on core developer or triage teams is not required, but you should be engaged—whether through contributions, participation in discussions, or working on related security tooling.
• A sponsor: You need an existing PSRT member to nominate you. Build relationships by attending Python events, joining security-focused chats, or collaborating on vulnerability fixes.
• Time commitment: Coordinating vulnerabilities can be time-sensitive and requires prompt responses. Be ready to dedicate a few hours per week, more during active incidents.
• Discretion: You must handle sensitive information confidentially until public disclosure is coordinated.

Step-by-Step Guide to Joining the PSRT

Becoming a PSRT member follows a process similar to the Core Team nomination. Here’s what you need to do:

1. Get Noticed and Find a Sponsor

The very first step is to establish yourself as a reliable contributor to Python security. This could mean fixing bugs in CPython’s security modules, helping triage issues, or contributing to security documentation. Engage with the community on the python-security-discuss mailing list or IRC (#python-security on Freenode). Once you’ve made an impact, ask an existing PSRT member if they’d be willing to sponsor you. Sponsors must believe in your ability to handle sensitive vulnerabilities and work collaboratively under pressure.

2. Nomination

Your sponsor will submit a formal nomination to the PSRT private mailing list. The nomination should include:

• Your background and contributions to Python security
• Why you’re a good fit for the team
• Any relevant expertise (e.g., cryptography, memory safety, supply chain security)

Nominations are kept confidential to respect privacy and the sensitive nature of the work.

3. Voting

Once nominated, the current PSRT members vote on your application. The rule is simple: at least two-thirds (⅔) of the cast votes must be positive. Votes are anonymous and can be accompanied by brief comments. The voting period typically lasts one week.

4. Onboarding

If the vote passes, you’ll be welcomed as a new member. Onboarding includes:

• Access to private repositories and communication channels
• Briefing on current workflows, tools (like GitHub Security Advisories), and coordination processes
• Assigning a mentor from the existing team for the first few months

You’ll start by shadowing existing coordinators before handling reports independently.

5. Start Contributing

Once onboarded, you’ll be expected to triage incoming vulnerability reports, coordinate with stakeholders, and help craft patches and advisories. Remember that you often won’t work alone—involving project maintainers and subject matter experts is encouraged to ensure long-term maintainability and minimal disruption.

Common Mistakes to Avoid

Many potential applicants misunderstand the requirements. Here are the most frequent pitfalls:

• Thinking you must be a core developer: This is false. PSRT members come from diverse backgrounds—security researchers, infrastructure engineers, even dedicated volunteers. As long as you have the skills and commitment, you’re welcome.
• Lack of community engagement: A sudden nomination without prior involvement rarely succeeds. The team values trust and proven reliability.
• Underestimating time commitment: Security work often requires rapid response. If you can’t allocate time, consider contributing to non-confidential security tasks first.
• Ignoring governance documents: Read PEP 811 thoroughly. Understanding the PSRT’s structure and the Steering Council relationship will make you a more effective member.
• Forgetting to thank others: The PSRT is about collaboration. Always recognize contributors—reporters, testers, reviewers—in CVE and OSV records. Seth and Jacob are currently refining this workflow, so adopt best practices early.

Summary

The Python Security Response Team is essential to the safety of the Python ecosystem. With the new governance laid out in PEP 811, onboarding is clearer than ever—and the bar for joining is not about having a “Core Developer” title but about demonstrated passion and expertise in security. To recap:

• Learn the team’s work, understand the prerequisites, and engage with the community.
• Find a sponsor and undergo the nomination and voting process.
• Avoid common mistakes by being realistic about the commitment and requirements.

If you’re excited by this challenge, start building your reputation today. The Python ecosystem needs more heroes working quietly behind the scenes—and you could be the next one.