Python Security Response Team Overhauls Operations with PEP 811
The Python Security Response Team (PSRT) has officially approved a new public governance document, PEP 811, marking a significant step toward transparency and sustainability in open-source security. For the first time, the team now publishes a list of members, defines clear responsibilities for members and admins, and establishes a formal onboarding and offboarding process.
“This governance framework ensures that our security work is both effective and sustainable,” said Seth Larson, Python’s Security Developer-in-Residence. “By codifying how we operate, we can better protect the entire Python ecosystem while making it easier for new contributors to join.”
Background: A Growing Need for Structured Security
The PSRT is responsible for triaging and coordinating vulnerability reports for CPython and pip. Last year alone, the team published 16 advisories—the highest annual total to date. However, the team has historically relied on a small, informal group of volunteer Release Managers, creating a bottleneck for critical security work.
“Security doesn’t happen by accident,” emphasized Jacob Coffee, the PSF Infrastructure Engineer who recently joined the PSRT as the first new non–Release Manager member since 2023. “This new process ensures we can bring in experts from across the community who aren’t necessarily core developers but have deep knowledge of specific areas.”
What This Means for the Python Ecosystem
The adoption of PEP 811 institutionalizes best practices for vulnerability response, ensuring that fixes adhere to existing API conventions, maintainability standards, and threat models. The new governance also clarifies the relationship between the PSRT and the Python Steering Council, reducing potential conflicts.
“We’re now able to onboard specialists who can handle everything from ZIP archive attacks to complex dependency issues,” said Larson. “This directly translates to faster, safer patches for every Python user.” longer-term, the PSRT plans to improve how contributions are recorded in CVE and OSV records, giving proper credit to everyone involved in private security fixes.
How to Join the Python Security Response Team
Interested in contributing to Python’s security? The new onboarding process mirrors the Core Team nomination process: an existing PSRT member must nominate you, and the nomination requires at least two-thirds positive votes from current members.
You do not need to be a core developer, triager, or existing team member. “If you have expertise—say in cryptography, dependency management, or specific C libraries—we want to hear from you,” Coffee noted. Find more details on the official PEP 811 page.