Publish the list of PSRT members

sethmlarson · sethmlarson · commit 4470cde82c96 · 2026-02-05T14:24:02.000-06:00
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -4,5 +4,7 @@
 # It uses the same pattern rule for gitignore file
 # https://git-scm.com/docs/gitignore#_pattern_format
 
+# PSRT member list owned by PSRT admins.
+developer-workflow/psrt.csv   @warsaw @ewdurbin @ned-deily @sethmlarson
 
 garbage_collector.rst         @pablogsal
diff --git a/developer-workflow/psrt.csv b/developer-workflow/psrt.csv
@@ -0,0 +1,20 @@
+Barry Warsaw,warsaw,Admin
+Benjamin Peterson,benjaminp,
+Dustin Ingram,di,
+Donald Stufft,dstufft,
+Ee Durbin,ewdurbin,Admin
+Glyph Lefkowitz,glyph,
+Gregory P. Smith,gpshead,
+Hugo van Kemenade,hugovk,Release Manager
+Larry Hastings,larryhastings,
+Łukasz Langa,ambv,
+Ned Deily,ned-deily,"Admin, Release Manager"
+Pablo Galindo Salgado,pablogsal,Release Manager
+Paul McMillan,paulmcmillan,
+Pradyun Gedam,pradyunsg,
+Savannah Bailey,savannahostrowski,Release Manager
+Seth Larson,sethmlarson,Admin
+Steve Dower,zooba,
+Serhiy Storchaka,serhiy-storchaka,
+Thomas Wouters,Yhg1s,Release Manager
+Tim Peters,tim-one,
diff --git a/developer-workflow/psrt.rst b/developer-workflow/psrt.rst
@@ -4,6 +4,82 @@ Python Security Response Team (PSRT)
 The Python Security Response Team (PSRT) is responsible for handling
 vulnerability reports for CPython and pip.
 
+Members
+-------
+
+The PSRT publishes a full
+list of members and admins, included in the table below:
+
+.. csv-table::
+   :header: "Name", "GitHub username", "Notes"
+   :file: psrt.csv
+   :encoding: "utf-8"
+
+How can I join the PSRT?
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Anyone can join the PSRT following a nomination process
+`similar to core team nominations`_. Nomination for a new member
+is brought to the PSRT by an existing PSRT member and then
+this nomination is voted on by existing PSRT members.
+The nomination succeeds if the nomination receives at least
+two-thirds positive votes from a vote of existing PSRT members
+that is open for one week and not vetoed by the Steering Council.
+
+Once per year the Steering Council will receive a report of inactive members
+of the PSRT with the recommendation to remove the inactive users from the PSRT.
+“Inactive” is defined as a member who hasn’t coordinated or commented on a
+vulnerability report in the past year since the last report was generated.
+The Steering Council may remove members of the PSRT with a simple vote.
+
+Members of the PSRT who are a Release Manager or Steering Council member may
+remain in the PSRT regardless of inactivity in vulnerability reports.
+
+.. _similar to core team nominations: https://devguide.python.org/core-team/join-team/
+
+Responsibilities of PSRT members
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Below are the responsibilities of PSRT members:
+
+* Being knowledgeable about typical software vulnerability report handling
+  processes, such as CVE IDs, patches, coordinated disclosure, embargoes, etc.
+* Not sharing or acting on embargoed information about the reported
+  vulnerability. Examples of disallowed behavior include sharing information
+  with colleagues or publicly deploying unpublished mitigations or patches ahead
+  of the advisory publication date.
+* Acting as a “Coordinator” of vulnerability reports that are submitted to
+  projects. A coordinator’s responsibility is to move a report through the PSRT
+  process to a “finished” state, either rejected or as a published advisory and
+  mitigation, within the industry standard timeline of 90 days.
+* As a Coordinator, involving relevant core team members or triagers where
+  necessary to make a determination whether a report is a vulnerability and
+  developing a patch. Coordinators are encouraged to involve members of the core
+  team to make the best decision for each report rather than working in isolation.
+* As a Coordinator, calculating the severity using CVSS and authoring advisories
+  to be shared on `security-announce@python.org`_. These advisories are used for
+  CVE records by the `PSF CVE Numbering Authority`_.
+* Coordinators that can no longer move a report forwards for any reason must
+  delegate their Coordinator role to someone else in the PSRT.
+
+.. _security-announce@python.org: https://mail.python.org/archives/list/security-announce@python.org/
+.. _PSF CVE Numbering Authority: https://www.python.org/cve-numbering-authority/
+
+Responsibilities of PSRT admins
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+PSRT members who are designated as admins by the Steering Council have the
+following additional responsibilities:
+
+* Triaging the ``security@python.org`` mailing list.
+* Managing PSRT membership access including the GitHub team, the mailing list,
+  and Discord channel, to ensure they are synchronized with the canonical list
+  of PSRT members.
+* On a yearly basis, providing the Steering Council with a report including a
+  list of inactive PSRT members.
+* Running nomination elections, including counting final votes and giving
+  the Steering Council an opportunity to veto nominations via email.
+
 Vulnerability report triage
 ---------------------------
 
