From 4470cde82c96caee902bd14100862a7855707a28 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Thu, 5 Feb 2026 14:23:08 -0600 Subject: [PATCH 1/6] Publish the list of PSRT members --- .github/CODEOWNERS | 2 + developer-workflow/psrt.csv | 20 ++++++++++ developer-workflow/psrt.rst | 76 +++++++++++++++++++++++++++++++++++++ 3 files changed, 98 insertions(+) create mode 100644 developer-workflow/psrt.csv diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 668bb5aceb..7f1f223e38 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -4,5 +4,7 @@ # It uses the same pattern rule for gitignore file # https://git-scm.com/docs/gitignore#_pattern_format +# PSRT member list owned by PSRT admins. +developer-workflow/psrt.csv @warsaw @ewdurbin @ned-deily @sethmlarson garbage_collector.rst @pablogsal diff --git a/developer-workflow/psrt.csv b/developer-workflow/psrt.csv new file mode 100644 index 0000000000..c9e1ba3b58 --- /dev/null +++ b/developer-workflow/psrt.csv @@ -0,0 +1,20 @@ +Barry Warsaw,warsaw,Admin +Benjamin Peterson,benjaminp, +Dustin Ingram,di, +Donald Stufft,dstufft, +Ee Durbin,ewdurbin,Admin +Glyph Lefkowitz,glyph, +Gregory P. Smith,gpshead, +Hugo van Kemenade,hugovk,Release Manager +Larry Hastings,larryhastings, +Łukasz Langa,ambv, +Ned Deily,ned-deily,"Admin, Release Manager" +Pablo Galindo Salgado,pablogsal,Release Manager +Paul McMillan,paulmcmillan, +Pradyun Gedam,pradyunsg, +Savannah Bailey,savannahostrowski,Release Manager +Seth Larson,sethmlarson,Admin +Steve Dower,zooba, +Serhiy Storchaka,serhiy-storchaka, +Thomas Wouters,Yhg1s,Release Manager +Tim Peters,tim-one, \ No newline at end of file diff --git a/developer-workflow/psrt.rst b/developer-workflow/psrt.rst index cf5acd2b70..95c7c30288 100644 --- a/developer-workflow/psrt.rst +++ b/developer-workflow/psrt.rst @@ -4,6 +4,82 @@ Python Security Response Team (PSRT) The Python Security Response Team (PSRT) is responsible for handling vulnerability reports for CPython and pip. +Members +------- + +The PSRT publishes a full +list of members and admins, included in the table below: + +.. csv-table:: + :header: "Name", "GitHub username", "Notes" + :file: psrt.csv + :encoding: "utf-8" + +How can I join the PSRT? +~~~~~~~~~~~~~~~~~~~~~~~~ + +Anyone can join the PSRT following a nomination process +`similar to core team nominations`_. Nomination for a new member +is brought to the PSRT by an existing PSRT member and then +this nomination is voted on by existing PSRT members. +The nomination succeeds if the nomination receives at least +two-thirds positive votes from a vote of existing PSRT members +that is open for one week and not vetoed by the Steering Council. + +Once per year the Steering Council will receive a report of inactive members +of the PSRT with the recommendation to remove the inactive users from the PSRT. +“Inactive” is defined as a member who hasn’t coordinated or commented on a +vulnerability report in the past year since the last report was generated. +The Steering Council may remove members of the PSRT with a simple vote. + +Members of the PSRT who are a Release Manager or Steering Council member may +remain in the PSRT regardless of inactivity in vulnerability reports. + +.. _similar to core team nominations: https://devguide.python.org/core-team/join-team/ + +Responsibilities of PSRT members +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Below are the responsibilities of PSRT members: + +* Being knowledgeable about typical software vulnerability report handling + processes, such as CVE IDs, patches, coordinated disclosure, embargoes, etc. +* Not sharing or acting on embargoed information about the reported + vulnerability. Examples of disallowed behavior include sharing information + with colleagues or publicly deploying unpublished mitigations or patches ahead + of the advisory publication date. +* Acting as a “Coordinator” of vulnerability reports that are submitted to + projects. A coordinator’s responsibility is to move a report through the PSRT + process to a “finished” state, either rejected or as a published advisory and + mitigation, within the industry standard timeline of 90 days. +* As a Coordinator, involving relevant core team members or triagers where + necessary to make a determination whether a report is a vulnerability and + developing a patch. Coordinators are encouraged to involve members of the core + team to make the best decision for each report rather than working in isolation. +* As a Coordinator, calculating the severity using CVSS and authoring advisories + to be shared on `security-announce@python.org`_. These advisories are used for + CVE records by the `PSF CVE Numbering Authority`_. +* Coordinators that can no longer move a report forwards for any reason must + delegate their Coordinator role to someone else in the PSRT. + +.. _security-announce@python.org: https://mail.python.org/archives/list/security-announce@python.org/ +.. _PSF CVE Numbering Authority: https://www.python.org/cve-numbering-authority/ + +Responsibilities of PSRT admins +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +PSRT members who are designated as admins by the Steering Council have the +following additional responsibilities: + +* Triaging the ``security@python.org`` mailing list. +* Managing PSRT membership access including the GitHub team, the mailing list, + and Discord channel, to ensure they are synchronized with the canonical list + of PSRT members. +* On a yearly basis, providing the Steering Council with a report including a + list of inactive PSRT members. +* Running nomination elections, including counting final votes and giving + the Steering Council an opportunity to veto nominations via email. + Vulnerability report triage --------------------------- From 8a065ef302a1d8bdfe3fd712f013154ad715c8b8 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 5 Feb 2026 20:24:51 +0000 Subject: [PATCH 2/6] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- developer-workflow/psrt.csv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/developer-workflow/psrt.csv b/developer-workflow/psrt.csv index c9e1ba3b58..257e8f7855 100644 --- a/developer-workflow/psrt.csv +++ b/developer-workflow/psrt.csv @@ -17,4 +17,4 @@ Seth Larson,sethmlarson,Admin Steve Dower,zooba, Serhiy Storchaka,serhiy-storchaka, Thomas Wouters,Yhg1s,Release Manager -Tim Peters,tim-one, \ No newline at end of file +Tim Peters,tim-one, From 1ddc164e6313ccf1fce4b77f0496b8b48db78eb0 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Thu, 5 Feb 2026 14:26:51 -0600 Subject: [PATCH 3/6] Add Jacob Coffee, newest PSRT member --- developer-workflow/psrt.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/developer-workflow/psrt.csv b/developer-workflow/psrt.csv index 257e8f7855..67b8755e96 100644 --- a/developer-workflow/psrt.csv +++ b/developer-workflow/psrt.csv @@ -6,6 +6,7 @@ Ee Durbin,ewdurbin,Admin Glyph Lefkowitz,glyph, Gregory P. Smith,gpshead, Hugo van Kemenade,hugovk,Release Manager +Jacob Coffee,JacobCoffee, Larry Hastings,larryhastings, Łukasz Langa,ambv, Ned Deily,ned-deily,"Admin, Release Manager" From d8f1976da0815d3ef4833cf1d083de970c2eaf3a Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Thu, 5 Feb 2026 20:36:47 +0000 Subject: [PATCH 4/6] Apply suggestions from code review Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- developer-workflow/psrt.csv | 4 ++-- developer-workflow/psrt.rst | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/developer-workflow/psrt.csv b/developer-workflow/psrt.csv index 67b8755e96..771c11f744 100644 --- a/developer-workflow/psrt.csv +++ b/developer-workflow/psrt.csv @@ -8,14 +8,14 @@ Gregory P. Smith,gpshead, Hugo van Kemenade,hugovk,Release Manager Jacob Coffee,JacobCoffee, Larry Hastings,larryhastings, -Łukasz Langa,ambv, +Łukasz Langa,ambv,Release Manager Ned Deily,ned-deily,"Admin, Release Manager" Pablo Galindo Salgado,pablogsal,Release Manager Paul McMillan,paulmcmillan, Pradyun Gedam,pradyunsg, Savannah Bailey,savannahostrowski,Release Manager Seth Larson,sethmlarson,Admin -Steve Dower,zooba, +Steve Dower,zooba,Release Manager Serhiy Storchaka,serhiy-storchaka, Thomas Wouters,Yhg1s,Release Manager Tim Peters,tim-one, diff --git a/developer-workflow/psrt.rst b/developer-workflow/psrt.rst index 95c7c30288..543e09358e 100644 --- a/developer-workflow/psrt.rst +++ b/developer-workflow/psrt.rst @@ -43,13 +43,13 @@ Responsibilities of PSRT members Below are the responsibilities of PSRT members: * Being knowledgeable about typical software vulnerability report handling - processes, such as CVE IDs, patches, coordinated disclosure, embargoes, etc. + processes, such as CVE IDs, patches, coordinated disclosure, embargoes. * Not sharing or acting on embargoed information about the reported vulnerability. Examples of disallowed behavior include sharing information with colleagues or publicly deploying unpublished mitigations or patches ahead of the advisory publication date. * Acting as a “Coordinator” of vulnerability reports that are submitted to - projects. A coordinator’s responsibility is to move a report through the PSRT + projects. A Coordinator’s responsibility is to move a report through the PSRT process to a “finished” state, either rejected or as a published advisory and mitigation, within the industry standard timeline of 90 days. * As a Coordinator, involving relevant core team members or triagers where From 88b053890c5d150927259c7d1abb75d430a0bffe Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Thu, 5 Feb 2026 14:56:48 -0600 Subject: [PATCH 5/6] Alphabetize member names --- developer-workflow/psrt.csv | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/developer-workflow/psrt.csv b/developer-workflow/psrt.csv index 771c11f744..bb0fe9dfed 100644 --- a/developer-workflow/psrt.csv +++ b/developer-workflow/psrt.csv @@ -1,7 +1,7 @@ Barry Warsaw,warsaw,Admin Benjamin Peterson,benjaminp, -Dustin Ingram,di, Donald Stufft,dstufft, +Dustin Ingram,di, Ee Durbin,ewdurbin,Admin Glyph Lefkowitz,glyph, Gregory P. Smith,gpshead, @@ -14,8 +14,8 @@ Pablo Galindo Salgado,pablogsal,Release Manager Paul McMillan,paulmcmillan, Pradyun Gedam,pradyunsg, Savannah Bailey,savannahostrowski,Release Manager +Serhiy Storchaka,serhiy-storchaka, Seth Larson,sethmlarson,Admin Steve Dower,zooba,Release Manager -Serhiy Storchaka,serhiy-storchaka, Thomas Wouters,Yhg1s,Release Manager Tim Peters,tim-one, From 61d4feeb0bd0b373fcc6f16c3090a7fddc18a56a Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Thu, 5 Feb 2026 20:57:16 +0000 Subject: [PATCH 6/6] Update developer-workflow/psrt.csv Co-authored-by: Savannah Ostrowski --- developer-workflow/psrt.csv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/developer-workflow/psrt.csv b/developer-workflow/psrt.csv index bb0fe9dfed..d5ee7d9541 100644 --- a/developer-workflow/psrt.csv +++ b/developer-workflow/psrt.csv @@ -13,7 +13,7 @@ Ned Deily,ned-deily,"Admin, Release Manager" Pablo Galindo Salgado,pablogsal,Release Manager Paul McMillan,paulmcmillan, Pradyun Gedam,pradyunsg, -Savannah Bailey,savannahostrowski,Release Manager +Savannah Ostrowski,savannahostrowski,Release Manager Serhiy Storchaka,serhiy-storchaka, Seth Larson,sethmlarson,Admin Steve Dower,zooba,Release Manager