How to Join the Python Security Response Team: A Step-by-Step Guide

Introduction

Security is never accidental—it's the result of dedicated volunteers and staff working behind the scenes to keep the Python ecosystem safe. The Python Security Response Team (PSRT) is the group responsible for triaging and coordinating vulnerability reports, issuing advisories, and ensuring fixes are applied without breaking existing use cases. Thanks to the work of Seth Larson, the Security Developer-in-Residence, the PSRT now operates under an approved public governance document (PEP 811). This new structure brings transparency: a public list of members, clear responsibilities, and a defined process for onboarding and offboarding. The first new member under this process is Jacob Coffee, the PSF Infrastructure Engineer, who joined as the first non–“Release Manager” member since Seth in 2023. With support from Alpha-Omega, the PSRT is becoming more sustainable. If you're passionate about Python security and want to help, here's your comprehensive guide to joining the team.

What You Need

• Existing PSRT member to nominate you
• Experience with Python security, vulnerability handling, or related areas
• Familiarity with Python's development process and community
• Time and commitment for security triage, coordination, and advisory work
• No requirement to be a core developer, team member, or triager—open to all qualified individuals

Step-by-Step Process

Step 1: Understand the Role and Governance

Before you jump in, take time to study the PSRT's new governance under PEP 811. The document outlines the team's responsibilities, how members and admins are expected to act, and the relationship with the Python Steering Council. The PSRT now publishes its member list publicly, so you can see who's currently on the team. Read about the onboarding and offboarding procedures—they balance security with sustainability. Also, review past advisories (like the 16 advisories published in 2023 for CPython and pip) to understand the type of work involved.

Step 2: Get Involved in Python Security

Active participation in Python security is the best way to become known and respected. Contribute to security-related discussions on the python-security mailing list, help triage issues, or assist with vulnerability coordination. You don't need to be a core developer—the PSRT values expertise from maintainers, security researchers, and even community members. Seth Larson and Jacob Coffee are improving workflows with GitHub Security Advisories to properly credit everyone involved. Get familiar with tools like CVE and OSV records. The more you engage, the more likely existing members will notice your contributions.

Step 3: Find a Nominator

The nomination process is similar to the Core Team nomination process. You need an existing PSRT member to nominate you. Start building relationships with current members—attend Python security meetings, comment on their work, or collaborate on a vulnerability report. Explain why you want to join and how your skills can help. Remember, you don't need to be a core dev; even volunteers who actively contribute to security can be nominated.

Step 4: Prepare Your Nomination

Once a PSRT member agrees to nominate you, work with them to prepare a strong case. Your nominator will present you to the rest of the team. Highlight your experience with vulnerability handling, coordination with other open source projects (like the recent ZIP archive differential attack mitigation on PyPI), and your understanding of Python's API conventions and threat models. Emphasize your commitment to maintaining long-term fix sustainability and minimal impact on existing use cases.

Step 5: Await the Vote

The PSRT will hold a vote among its members. You need at least two-thirds (⅔) positive votes to be accepted. The voting process is confidential to maintain security and integrity. After the vote, you'll be informed of the outcome. If you're not accepted, ask for feedback and continue contributing—it's common to try again later.

Step 6: Onboarding and Beyond

If approved, you'll go through the onboarding process defined in PEP 811. You'll receive access to secure channels, learn the coordination workflows, and start handling real vulnerability reports. The PSRT encourages members to involve project maintainers and experts early in remediation to ensure fixes align with existing APIs and threat models. You'll also coordinate with other open source projects as needed. Your work will be recognized—Seth and Jacob are developing systems to record reporters, coordinators, and remediation developers in CVE and OSV records. Celebrate your contributions just like code commits!

Tips for Success

• Build trust over time. Regularly contribute to security discussions and demonstrate reliability.
• Learn from past advisories. Study how the PSRT handled past vulnerabilities to understand their approach.
• Collaborate widely. The PSRT often works with other open source projects—having cross-project experience is a plus.
• Stay updated. Follow PSRT announcements and changes in governance (like PEP 811).
• Don't be discouraged. The process may take time; persistence pays off.
• Celebrate recognition. Security work deserves acknowledgment, so take pride in your invisible contributions.