Enhanced Security for Python: New Governance and Team Expansion

Introduction

The Python Security Response Team (PSRT) has taken significant steps to formalize its operations and expand its membership, ensuring the long-term sustainability of security work for the Python programming language. With the approval of PEP 811, the team now operates under a public governance document, and recent onboarding of a new member marks a milestone in team growth. This article explores the revamped structure, recent developments, and the path for others to contribute to Python's security.

The Python Security Response Team: A Vital Shield

Security in the Python ecosystem does not happen by accident. It relies on the dedicated work of volunteers and paid staff within the PSRT, who triage and coordinate vulnerability reports and remediation efforts. Their efforts keep all Python users safe. In the past year alone, the PSRT published 16 vulnerability advisories for CPython and pip – the highest number in a single year to date. This underscores the increasing importance of structured security processes as Python's usage expands.

New Governance Structure: PEP 811

Thanks to the efforts of Seth Larson, the Security Developer-in-Residence at the Python Software Foundation, the PSRT now has an approved public governance document: PEP 811. This document introduces several key improvements:

• A publicly available list of PSRT members
• Clearly defined responsibilities for both members and administrators
• A formal onboarding and offboarding process to balance security needs with team sustainability
• Clarification of the relationship between the Python Steering Council and the PSRT

This governance framework ensures transparency and accountability while enabling the team to scale effectively.

Expanding the Team: Jacob Coffee Joins

The new onboarding process is already yielding results. Jacob Coffee, the PSF Infrastructure Engineer, has joined the PSRT as the first new non-"Release Manager" member since Seth Larson became a member in 2023. This addition bolsters the sustainability of security work and signals an open door for other specialists to contribute. The PSRT expects further members to join in the coming months, strengthening the team's capacity to handle vulnerabilities.

Behind the Scenes: How the PSRT Operates

The PSRT rarely works in isolation. Coordinators actively involve project maintainers and experts from the affected submodules during vulnerability remediation. This collaborative approach ensures that fixes adhere to existing API conventions and threat models, remain maintainable over time, and minimize impact on current use cases. When a vulnerability affects multiple open-source projects, the PSRT coordinates with other communities to avoid surprising the ecosystem. A recent example is the mitigation for PyPI's ZIP archive differential attack.

Recognition for Security Contributors

Contributions to security often go unnoticed compared to code or documentation. To address this, Seth Larson and Jacob Coffee are improving workflows that use GitHub Security Advisories. These improvements will record the reporter, coordinator, remediation developers, and reviewers in CVE and OSV records, ensuring proper credit for everyone involved in private security contributions.

How to Join the Python Security Response Team

If you are interested in directly helping secure the Python programming language, the membership process mirrors the Core Team nomination process. You need an existing PSRT member to nominate you, and your nomination must receive at least two-thirds positive votes from current PSRT members. Importantly, you do not need to be a core developer, team member, or triager to qualify. The team values diverse expertise and perspectives.

Conclusion

The Python Security Response Team's formalized governance and growing membership represent a proactive step toward sustainable security for the Python ecosystem. With support from sponsors like Alpha-Omega, which funds Seth Larson's role, the PSRT is better equipped than ever to handle vulnerabilities. Whether you are a seasoned developer or a security enthusiast, there is a path to contribute to this critical work.