How to Join the Python Security Response Team: A Step-by-Step Guide
Introduction
Security is not accidental—it’s built by dedicated volunteers and staff who triage vulnerabilities, coordinate fixes, and keep the Python ecosystem safe. The Python Security Response Team (PSRT) is the group responsible for this critical work. Thanks to recent governance changes formalized in PEP 811, the PSRT now has a transparent membership list, clear responsibilities, and a sustainable onboarding process. The first new non-Release Manager member, Jacob Coffee (PSF Infrastructure Engineer), has already joined under this process, and the team expects more to follow. If you’ve ever wanted to directly contribute to Python security, now is the perfect time to learn how to become a PSRT member. This guide walks you through the nomination and voting process, requirements, and what to expect after joining.
What You Need
Before starting the process, ensure you meet these prerequisites:
- A nominator: You must be nominated by an existing PSRT member.
- No prior role required: You do not need to be a core developer, triager, or release manager. Anyone with relevant security expertise or a strong commitment to Python security can be considered.
- Approval threshold: Your nomination must receive at least two-thirds positive votes from the current PSRT membership.
- Willingness to collaborate: PSRT work involves coordinating with maintainers, experts, and sometimes other open-source projects.
- Understanding of governance: Familiarize yourself with Step 1 for an overview of the PSRT structure and responsibilities.
Step-by-Step Process to Join the PSRT
Step 1: Understand the PSRT Structure and Responsibilities
Before seeking a nomination, learn how the team operates. The PSRT is governed by PEP 811, which defines:
- Members: Responsible for triaging and coordinating vulnerability reports, publishing advisories, and ensuring timely fixes.
- Admins: Handle onboarding, offboarding, and maintain membership records.
- Relationship with Python Steering Council: The PSRT operates under the Council’s oversight but has autonomy in security decisions.
The team encourages involving project maintainers and subject-matter experts during remediation to ensure fixes maintain API conventions and minimal impact. The PSRT also coordinates with other open-source projects—for example, the PyPI ZIP archive differential attack mitigation—to protect the broader ecosystem.
Step 2: Find an Existing PSRT Member to Nominate You
You cannot self-nominate. Reach out to current PSRT members, whose names are now publicly listed (per PEP 811). Attend Python security-related events, contribute to CPython security discussions, or participate in the Python Security Response Team’s public channels. If you have a track record of responsible disclosure, security research, or past contributions to Python security—even indirectly—mention that to potential nominators.
Step 3: Formal Nomination
Once a current member agrees to nominate you, they will submit a formal nomination to the PSRT. The process is similar to the Core Team nomination procedure. The nomination should include your background, security-relevant experience, and reasons for joining. No specific format is mandated, but transparency helps.
Step 4: Voting by Current Members
After the nomination is submitted, all current PSRT members vote. The outcome requires:
- At least two-thirds (⅔) positive votes from the existing membership.
- Votes are private, and the process is designed to balance security needs with team sustainability.
If approved, you are provisionally accepted.
Step 5: Onboarding
Once you have the required votes, the PSRT admins will start the onboarding process. This includes:
- Access to private communication channels and vulnerability tracking tools.
- Training on the team’s workflows, such as using GitHub Security Advisories to record reporters, coordinators, and remediation developers—a practice recently improved by Seth Larson and Jacob Coffee to ensure proper acknowledgment in CVE and OSV records.
- Assignment of a mentor or buddy to guide you through your first few reports.
Step 6: Start Contributing and Coordinating
As a new PSRT member, your main role will be to triage vulnerability reports, coordinate with maintainers, and help publish advisories. The team published 16 advisories for CPython and pip in the last year alone—the most ever—showing the growing importance of this work. You may also get involved in cross-project coordination, like the recent collaboration on PyPI’s ZIP archive security fix. Recognition for security contributions is just as valuable as code commits, so expect your work to be documented in CVEs and OSV records.
Tips for a Successful Application and Membership
- Build relationships early: Engage with the Python security community on GitHub, Discourse, or at conferences. A strong rapport with current PSRT members increases your chances of a nomination.
- Highlight any prior security work: Even small contributions—like reporting a bug or participating in a security audit—demonstrate your commitment.
- Understand the sustainability aspect: The PSRT’s new governance is designed to scale. Be prepared to help with onboarding future members and maintaining documentation.
- Stay patient and persistent: The voting threshold is high, but the team values quality over quantity. If your first attempt doesn’t succeed, ask for feedback and try again later.
- Celebrate contributions: All security work—whether code, triage, or coordination—deserves recognition. Use the improved CVE attribution process to ensure your efforts are recorded.
- Leverage Alpha-Omega support: Thanks to sponsors like Alpha-Omega, the PSRT has a full-time Security Developer-in-Residence (Seth Larson). This resource helps streamline operations and support team members.
Joining the Python Security Response Team is a unique opportunity to directly safeguard the language used by millions. With the new transparent governance, a sustainable onboarding process, and growing recognition for security work, now is the ideal time to step forward. Good luck!