Overview
The Python Security Response Team (PSRT) is the group responsible for triaging and coordinating vulnerability reports and remediations for the Python ecosystem. As of 2024, the team has adopted a formal governance document (PEP 811) that clarifies roles, responsibilities, and the membership process. This guide will walk you through the steps to become a PSRT member, highlight the prerequisites, and help you avoid common pitfalls.
Prerequisites
Before pursuing membership, ensure you meet the following criteria:
- Interest in Python security: You should have a genuine desire to help secure the Python language and its components.
- No core developer status required: You do not need to be a Python core developer, triager, or team member to join. The PSRT welcomes contributors from diverse backgrounds.
- Existing PSRT member nomination: You must be nominated by a current PSRT member. Without a nominator, the process cannot proceed.
- Positive track record: While not officially required, demonstrating responsible disclosure experience or contributions to Python security projects (e.g., CPython, pip, PyPI) strengthens your nomination.
Step-by-Step Instructions
Step 1: Build Connections Within the Community
Since you need a nomination from an existing PSRT member, start by engaging with the Python security community. Participate in discussions on Python Discuss, contribute to security-related issues on GitHub, or attend Python Software Foundation events. Demonstrating your expertise and willingness to help will make it easier for a PSRT member to notice and nominate you.
Step 2: Request a Nomination
Once you have established a relationship with a PSRT member, ask them to nominate you. The nomination is a formal process: the nominator will submit your name to the PSRT mailing list or internal channel. Your nomination should highlight your relevant experience and contribution to Python security.
Step 3: Vote by Existing Members
After your nomination is submitted, the PSRT administrators will initiate a vote among current members. According to the new governance document (PEP 811), your nomination must receive at least ⅔ (two-thirds) positive votes from the existing PSRT members to pass. This threshold ensures strong consensus and accountability.
Step 4: Onboarding and Training
If your nomination passes, you will be invited to join the PSRT. The onboarding process includes:
- Access to private communication channels (e.g., Slack, mailing list)
- Review of the PSRT internal documentation
- Shadowing experienced coordinators on vulnerability triage processes
- Completion of confidentiality agreements (if required)
Step 5: Begin Contributing
As a new member, you will start by assisting with vulnerability reports, coordinating with maintainers, and contributing to GitHub Security Advisories (GHSA). The PSRT encourages coordinators to involve subject-matter experts directly in the remediation process to ensure fixes follow API conventions, threat models, and maintainability. You will also help record the reporter, coordinator, and remediation contributors in CVEs and OSV records to properly credit everyone involved.
Common Mistakes
Assuming You Must Be a Core Developer
One of the biggest misconceptions is that only Python core developers can join the PSRT. This is false. The governance explicitly welcomes non–core team members. In fact, the first new non–release manager member, Jacob Coffee, joined in 2024 after the new process was established. Do not let this myth deter you.
Neglecting Community Engagement
Some candidates try to rush the nomination by directly emailing the PSRT without building rapport. Because nominations require an existing member to sponsor you, a lack of community involvement can stall your application. Invest time in contributing to open-source security efforts to get noticed.
Underestimating the Voting Threshold
The ⅔ majority is a high bar. If your nomination does not receive enough positive votes, it may be declined or require re-nomination. Ensure your nominator has provided a strong case and that you have adequately communicated your qualifications to the team beforehand.
Misunderstanding the Time Commitment
PSRT work involves coordinating vulnerability reports, which can be time-sensitive and require prompt responses. New members sometimes underestimate the urgency. Treat your membership as a substantive volunteer (or paid staff) role that demands reliability.
Summary
The Python Security Response Team is vital to the safety of the Python ecosystem. With the implementation of PEP 811, the path to membership is transparent and democratic. By meeting the prerequisites, securing a nomination, receiving a two-thirds vote, and completing onboarding, you can become part of this essential team. Remember to engage with the community, avoid common misconceptions, and stay committed to the team’s mission. Your contributions will help secure Python for millions of users.