How to Become a Member of the Python Security Response Team: A Step-by-Step Guide

Introduction

Security is a team effort, and the Python Security Response Team (PSRT) is at the heart of protecting the Python ecosystem. Thanks to recent governance improvements (PEP 811), the PSRT now has a transparent public charter, a clear list of members, and a well-defined onboarding process. This guide walks you through exactly how to join the PSRT—from understanding the team’s mission to being officially onboarded.

Whether you're a seasoned core developer or a passionate security enthusiast, the PSRT welcomes new members who are committed to triaging vulnerabilities and coordinating fixes that keep millions of users safe. In 2023 alone, the team published 16 advisories for CPython and pip—the most in a single year. Your contribution could make a real difference.

What You Need to Get Started

• An existing PSRT member to nominate you – The process requires a sponsor from within the team.
• Support from at least two-thirds of the current PSRT members – Your nomination must pass a positive vote with this supermajority.
• No specific role required – You don’t need to be a core developer, triager, or release manager. A background in security and a willingness to contribute are your primary assets.
• Familiarity with the PSRT governance document (PEP 811) – Understanding the team’s structure and responsibilities is essential.
• Time and dedication – The role involves triaging vulnerability reports, coordinating fixes, and occasionally working with external projects. Expect to commit several hours per month.

Step-by-Step Guide to Joining the PSRT

Step 1: Understand the Python Security Response Team

Before you can join, you need to know what the PSRT does. The team triages and coordinates vulnerability reports and remediations for CPython and pip, and occasionally for other projects in the Python ecosystem. The team works closely with project maintainers and experts to ensure fixes respect existing APIs, threat models, and long-term maintainability. The PSRT also coordinates with other open source projects when advisories affect multiple communities—for example, the recent ZIP archive differential attack mitigation on PyPI.

Key resource: Read PEP 811 to see the governance structure, member responsibilities, and how the team relates to the Python Steering Council.

Step 2: Connect with Current PSRT Members

You need a current member to nominate you. Start by identifying who the active members are. The PSRT now publishes a public list—check the official Python security page. Engage with the team through:

• Participating in security discussions on the Python security list or the PSF security channels.
• Contributing to vulnerability research or helping test patches.
• Attending relevant Python software security events or sprints.

If you’re known for your security work in the Python community, it’s easier to find a sponsor. Remember: Jacob Coffee, the PSF Infrastructure Engineer, recently became the first non-release-manager member since Seth Larson joined in 2023—so the team is open to diverse backgrounds.

Step 3: Secure a Nomination

The nomination process mirrors the Core Team nomination process. An existing PSRT member must formally nominate you. This typically happens after they’ve observed your contributions, interest, and reliability. The nomination should highlight your relevant experience, such as past security work, vulnerability handling, or collaboration on CPython security issues.

Important: The nominator must believe you will contribute positively to the team’s sustainability and security balance.

Step 4: The Voting Process

Once nominated, the current PSRT members vote. For the nomination to succeed, at least ⅔ of active members must vote in favor. The vote is private to maintain confidentiality, but the outcome is communicated. If you are approved, congratulations! If not, the team usually provides feedback so you can address any concerns and try again later.

Note: The new governance structure (PEP 811) ensures that the process is transparent and fair, balancing security needs with team sustainability.

Step 5: Onboarding as a New Member

After approval, you’ll go through the onboarding process defined in PEP 811. This includes:

• Understanding member responsibilities and administrative duties.
• Getting access to private reporting channels, vulnerability databases, and coordination tools.
• Learning the workflow for handling GitHub Security Advisories – a key part of properly recording reporters, coordinators, and remediation developers to CVEs and OSV records.
• Shadowing an experienced member on your first few vulnerability reports.

The onboarding is designed to ensure you can contribute effectively while maintaining the high security standards the team is known for.

Step 6: Contribute and Help Sustain the Team

Once onboarded, dive into the work. The PSRT relies on active members to:

• Triage vulnerability reports.
• Coordinate with maintainers and experts (involving them directly in remediation to ensure high-quality fixes).
• Publish advisories and CVEs promptly.
• Collaborate with other open source projects when vulnerabilities cross boundaries.

Your work will be recognized—the team is improving how contributors are credited in advisories, so you’ll get the recognition you deserve, just like code or documentation contributions.

Tips for Success

• Start small: If you’re new to security, consider contributing to Python’s security infrastructure first—like helping with the CVE/OSV records or improving advisory documentation.
• Be persistent: If your nomination doesn’t pass the first time, ask for feedback and work on the areas the team identified.
• Network within the community: Attend Python security talks, join the PSF’s security channels, and contribute to security-related discussions on the Python discourse.
• Value sustainability: The PSRT’s new governance is designed to make the team sustainable. As a member, helping with offboarding and knowledge transfer is just as important as handling vulnerabilities.
• Celebrate your work: Security work is often behind the scenes, but it deserves recognition. The team is actively improving how contributors are thanked—so don’t be shy about sharing your contributions (within confidentiality limits).
• Remember the “why”: You’re joining a team that protects the entire Python ecosystem. Every advisory you coordinate keeps millions of users safe—a huge responsibility and a proud achievement.

Ready to take the next step? Connect with a current PSRT member today and start your journey toward becoming a guardian of Python’s security.