Python Security Response Team Gets Formal Governance PEP 811 and First New Member Since 2023

Why This Matters: Python Security Gets a Governance Upgrade

For years, the Python Security Response Team (PSRT) operated behind the scenes, handling vulnerability reports with minimal public visibility. That changes now. With the approval of PEP 811, the PSRT has a formal governance structure that defines membership, responsibilities, and onboarding procedures.

This is a critical step for the Python ecosystem. As the language powers everything from web servers to AI pipelines, having a clear, sustainable security response process is no longer optional—it's a necessity.

Key changes include:

• Public list of PSRT members and their roles.
• Documented responsibilities for members and admins.
• A defined onboarding/offboarding process balancing security and sustainability.
• Clarified relationship between the Python Steering Council and the PSRT.

This transparency helps the community trust the process and opens the door for new contributors.

First New Member: Jacob Coffee Joins the PSRT

The new governance isn't just paperwork. Jacob Coffee, the PSF Infrastructure Engineer, has become the first non-"Release Manager" member to join the PSRT since Seth Larson joined in 2023.

This is a direct result of the new onboarding process defined in PEP 811. It signals a shift toward a more inclusive, skills-based membership model—meaning you don't need to be a core developer to contribute to Python's security.

What the PSRT actually does:

• Triages and coordinates vulnerability reports.
• Publishes security advisories (16 in 2025 alone for CPython and pip).
• Works with maintainers and experts to ensure fixes adhere to API conventions and threat models.
• Coordinates with other open source projects to avoid ecosystem-wide surprises.

A recent example of cross-project coordination: PyPI’s ZIP archive differential attack mitigation.

How to Join the Python Security Response Team

Inspired to help? The process is similar to the Core Team nomination:

1. You need an existing PSRT member to nominate you.
2. Your nomination must receive at least ⅔ positive votes from current members.

You do NOT need to be:

• A core developer
• A team member or triager

What you DO need:

• Security expertise recognized within the Python community.
• High trustworthiness.
• Time to volunteer or employer sponsorship for part-time work.

All PSRT members have documented responsibilities and are expected to contribute meaningfully to vulnerability remediation.

Note: You don't need to be a PSRT member to receive early vulnerability notifications. The PSF is a CVE Numbering Authority and publishes CVE and OSV records publicly.

For more on how open governance and community-driven security can scale, check out our analysis of Nemotron-Personas-Brazil: The Open Dataset for Building Culturally-Grounded AI.

Conclusion: Security Deserves Celebration Too

Seth Larson and Jacob Coffee are proving that security work in open source deserves the same recognition as code contributions. The new governance (PEP 811) makes the process transparent, sustainable, and welcoming to new talent.

Next steps for you:

• If you have security expertise, consider getting nominated to the PSRT.
• If you're a Python user, keep an eye on public CVE/OSV records for advisories.
• If you're a maintainer, volunteer to help coordinate fixes when vulnerabilities affect your project.

Security doesn't happen by accident. It happens because people like Seth and Jacob—and maybe soon, you—choose to make it a priority.

Also read our deep dive on React Compiler v1.0: Automatic Memoization for another look at how governance and tooling evolve together.