Breaking: Python Security Response Team Adopts New Governance, Adds Jacob Coffee to Roster
The Python Security Response Team (PSRT) has formally adopted a public governance document (PEP 811), marking a major shift toward transparency and sustainability. For the first time, the team now publishes a full list of members, documented responsibilities, and clear onboarding and offboarding procedures.
In a related move, Jacob Coffee, a Python Software Foundation Infrastructure Engineer, has joined the PSRT as the first non-Release Manager member since Seth Larson's appointment in 2023. His addition signals that the new onboarding process—requiring a nomination and two-thirds approval—is already operational.
"This governance structure balances security needs with long-term team health," said Seth Larson, Security Developer-in-Residence at the PSF. "Having a documented path for new members ensures we can sustain critical vulnerability response work for years to come."
Background
The PSRT is responsible for triaging and coordinating vulnerability reports for CPython, pip, and other Python ecosystem projects. In 2024 alone, the team published 16 advisories—the highest single-year count to date.
Historically, the team operated without formal governance, relying on a small core of release managers. The new PEP 811 structure clarifies the relationship between the PSRT and the Python Steering Council, and introduces documented roles for members and admins.
"Security doesn't happen by accident," Larson emphasized. "This work is often invisible, but it's critical. We're making sure the PSRT is built to last."
The governance overhaul was supported by funding from Alpha-Omega, which sponsors Larson's role under the Python Software Foundation's Security Developer-in-Residence program.
What This Means
The PSRT's new transparency enables the broader community to see who is handling vulnerability reports and how decisions are made. It also reduces the risk of burnout by creating a sustainable pipeline for new members.
"Involving project maintainers directly in remediation ensures fixes respect existing APIs and threat models," Larson noted. "That's why we encourage PSRT coordinators to bring in experts beyond the core team."
The team is now working on improved attribution workflows in GitHub Security Advisories, aiming to properly credit reporters, coordinators, and developers in CVE and OSV records. This recognition helps elevate security contributions to the same level as source code changes.
For those interested in joining, the process mirrors the Core Team nomination: a current member must nominate you, and at least two-thirds of existing PSRT members must vote in favor. Membership is open to non-core developers, triagers, and other contributors.
"You don't need to be a core developer to help keep Python secure," Larson added. "The new governance makes it clear: if you have the expertise and commitment, there's a path in."
The PSRT expects additional new members to join in the coming months, further strengthening Python's ecosystem security.
About Alpha-Omega Support
Alpha-Omega's sponsorship of Seth Larson's Security Developer-in-Residence position has been instrumental in advancing Python security infrastructure, including this governance reform.
For more details, see the official PEP 811 document and the PSRT member list.