Python Security Response Team Overhauls Governance with PEP 811, Welcomes New Member

By

Breaking News: Python Security Response Team Adopts Public Governance

The Python Security Response Team (PSRT) has officially adopted a new public governance framework under PEP 811, marking a major step toward transparency and sustainability. The policy, driven by Security Developer-in-Residence Seth Larson, establishes clear membership lists, documented responsibilities, and a structured onboarding process.

"This governance document ensures that security work can scale without burning out volunteers," said Larson. "We now have a sustainable way to bring in new members while maintaining the highest security standards."

Background

Until now, the PSRT operated without a formal public charter. Members were largely selected from the pool of Python Release Managers, leading to a small, overburdened team. The new policy, approved after months of community discussion, clarifies roles and the relationship with the Python Steering Council.

Already, the process is bearing fruit. Jacob Coffee, the Python Software Foundation’s Infrastructure Engineer, has joined the PSRT as the first non–Release Manager member since Larson’s own appointment in 2023. "Jacob’s infrastructure expertise is a huge asset," Larson noted. "We expect more diverse experts to follow."

What This Means

For Python users, this means faster, more coordinated responses to security vulnerabilities. The PSRT handled a record 16 advisories last year for CPython and pip alone, and the new structure should increase that capacity.

The team also plans to credit contributors more formally via GitHub Security Advisories, ensuring that reporters, coordinators, and fixers receive recognition in CVE and OSV records. "Security contributions deserve the same celebration as code commits," said Larson.

Broader Ecosystem Impact

The PSRT doesn’t work in isolation. It coordinates with other open-source projects to prevent cascading vulnerabilities, as seen in the recent PyPI ZIP archive differential attack mitigation. The governance change reinforces this collaborative approach.

How to Join

Interested in helping? You don’t need to be a core developer. Any existing PSRT member can nominate you, and a two-thirds vote from the team is required. Nominees are evaluated on their security experience and willingness to volunteer.

"We’re looking for people who can triage reports and work with maintainers," Larson explained. "If you have a background in security engineering or incident response, consider reaching out to a current member."

Acknowledgments

This work is supported by Alpha-Omega, which funds Larson’s Security Developer-in-Residence role at the Python Software Foundation.

Related Articles

• The Python Insider Blog Moves to GitHub: A Contributor's How-To Guide
• Strengthening Python Security: Inside the Python Security Response Team and How to Join
• Go Developer Survey 2025 Reveals Critical Gaps in Tooling and AI Assistance, Developers Demand Better Practices
• How to Build a Natural Language Ads Manager with Claude Code and Spotify's API
• Mastering Code Navigation and Performance: New Python Extension Features in VS Code (March 2026)
• Python Security Response Team Gains Formal Governance and First New Member in Two Years
• Breaking: Mesa Plans to Split Legacy GPU Drivers into Separate Branch – Could Affect AMD R300/R600
• 10 Essential Strategies for Scaling Multi-Agent AI Systems