How to Join the Python Security Response Team
Introduction
The Python Security Response Team (PSRT) is the backbone of security for the Python ecosystem – a group of dedicated volunteers and paid staff who triage vulnerability reports, coordinate fixes, and ensure that millions of Python users stay safe. With the recent approval of PEP 811, the PSRT now has a public governance document, a transparent membership list, and a clear onboarding process. This guide will walk you through exactly how to become a member, from meeting prerequisites to successfully joining the team. Whether you're a seasoned core developer or a passionate contributor with security expertise, the PSRT welcomes those ready to make a difference.
What You Need
- Existing PSRT member sponsor: You must be nominated by a current member of the PSRT. The process is similar to the Python Core Team nomination process.
- At least ⅔ positive votes: Your nomination must receive approval from at least two-thirds of existing PSRT members.
- Security expertise or strong interest: While you don’t need to be a core developer, triager, or team member, you should have a solid understanding of Python security practices, vulnerability handling, and the ecosystem.
- Commitment to sustainability: The PSRT values members who balance security needs with long-term maintainability – you’ll be expected to respect API conventions, threat models, and minimize impact on existing use cases.
- Familiarity with GitHub Security Advisories and CVE/OSV records: Recent improvements by Seth Larson and Jacob Coffee encourage members to properly record contributors in security advisories, so you should be comfortable with these tools.
Step-by-Step Process to Join the PSRT
Step 1: Build Your Security Reputation and Gain Visibility
Before you can be nominated, you need to be known in the Python security community. Start by actively contributing to security discussions, reporting vulnerabilities responsibly, or helping maintain existing security tooling. You might:
- Submit vulnerability reports to the PSRT (via their confidential reporting process).
- Contribute to CPython or pip security patches.
- Participate in Python Software Foundation (PSF) security initiatives.
- Attend security-focused Python events or mailing lists.
Your goal is to demonstrate your reliability, technical skill, and collaborative spirit – making you a strong candidate for nomination.
Step 2: Find a PSRT Member to Sponsor Your Nomination
You must have an existing PSRT member nominate you. The PSRT now publishes a public list of members (thanks to PEP 811), so you can identify who to approach. Reach out to a member who knows your work – perhaps someone you have collaborated with on a security fix or a vulnerability advisory. Explain why you want to join, your relevant experience, and how you can contribute to the team’s sustainability.
Step 3: Formal Nomination and Submission
Once a PSRT member agrees to sponsor you, they will submit your nomination for official consideration. The nomination should include:
- Your security background and contributions.
- Your motivation for joining.
- Any specific skills (e.g., expertise in submodules, API design, threat modeling) that align with the PSRT’s needs.
The nomination is then presented to the full PSRT membership for evaluation.
Step 4: Voting by Current Members
All current PSRT members vote on your nomination. As per the governance document (PEP 811), your nomination requires at least ⅔ positive votes from the existing members. The vote is private to respect security and confidentiality. During this period, members may discuss your qualifications and ask questions. If successful, you move to the next step.
Step 5: Onboarding and Integration
After the vote, the PSRT admins will contact you to begin the onboarding process. This includes:
- Reviewing the team’s documented responsibilities and expectations (now public in PEP 811).
- Understanding the relationship between the PSRT and the Python Steering Council.
- Learning the workflow for handling security advisories, including using GitHub Security Advisories to record reporters, coordinators, and remediation developers for CVE/OSV credits.
- Getting access to any private communication channels or tools.
The team emphasizes sustainability, so you’ll be trained on balancing security fixes with minimal disruption to the ecosystem. Recent additions like Jacob Coffee (the first non–Release Manager member since 2023) show that the new onboarding process works for diverse backgrounds.
Tips for a Successful Application
- Start early: Build relationships with current PSRT members before seeking a nomination. Attend Python security meetings or offer help on open issues.
- Highlight collaboration: The PSRT often involves maintainers and experts from various projects. Show your ability to coordinate with others and respect existing API conventions.
- Understand the recognition culture: Seth and Jacob are working to improve credit for private contributions – being able to handle sensitive work gracefully is a plus.
- Be patient: The voting and onboarding process can take time. The PSRT values thoroughness and security over speed.
- Don’t be discouraged if you’re not a core developer: The PSRT explicitly does not require core developer status. Any contributor with security expertise can join.
- Remember the bigger picture: Your work will directly protect the Python ecosystem. Celebrate your contributions – they are as important as code commits!
By following these steps, you can become a vital part of the Python Security Response Team and help sustain the security of Python for everyone. Good luck!