Python Security Team Formalizes Governance
The Python Security Response Team (PSRT) is increasing its transparency and formalizing its operations under a new public governance document, PEP 811. The Python Software Foundation announced the move, which includes published member lists and clear protocols for team members. The foundation is also encouraging security professionals to join the PSRT to widen community participation.
- The new governance model was driven by Security Developer-in-Residence Seth Michael Larson and is detailed in Python Enhancement Proposal (PEP) 811. - Previously, the PSRT was described more informally as a "highly trusted cabal of Python developers," and the new PEP aims to better define membership and responsibilities. - A key process change involves adopting GitHub Security Advisories as the primary system for handling vulnerability reports, a shift from the previous reliance on the security@python.org mailing list and private repositories. - The formalized structure introduces a "Coordinator" role for each vulnerability report to ensure it moves through the remediation process within an industry-standard 90-day timeline. - Under the new rules, the Python Steering Council has the authority to add or remove members from the PSRT. - This change comes as the team's workload has grown; the PSRT published 16 vulnerability advisories for CPython and pip in the last year, the most in a single year to date. - The Python Software Foundation's security efforts are supported by its designation as a CVE Numbering Authority (CNA), allowing it to assign CVE IDs to vulnerabilities in Python and pip. - Recently, the AI company Anthropic invested $1.5 million into the Python Software Foundation to specifically fund security improvements for CPython and the Python Package Index (PyPI).
