Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Learning from the not-so-secret Python security...

Learning from the not-so-secret Python security cabal (EuroPython 2026)

The CPython runtime is some of the most-used software in the world. Part of maintaining a secure software project like CPython is participating in coordinated vulnerability disclosure (CVD). This process allows security researchers and maintainers of projects to work together to fix vulnerabilities and alert the public, keeping all Python programmers and users safe.

In this talk attendees will learn about how the Python language organizes its security team, how to balance security and open source contribution in coordinated vulnerability disclosure, and the latest in how open source projects can maintain a sustainable vulnerability disclosure program. Attendees that aren’t currently contributing to open source projects, but have an interest in their dependencies being secure, will learn ways they can contribute meaningfully to the security of open source projects they depend on.

https://ep2026.europython.eu/session/learning-from-the-not-so-secret-python-security-cabal

Avatar for Seth Michael Larson

Seth Michael Larson

July 16, 2026

Transcript

  1. Who am I? Seth Larson (@sethmlarson) Security Developer @ PSF

    Python Core Developer Python Security Response Team
  2. Goal: Roadmap for Security Contributors • Why now? ~LLMs •

    How to contribute to security for a project? • As a project, how to accept contributions?
  3. Vulnerability Lifecycle “CVE” Reporters ↓ Security Team ↓ Maintainers ↓

    Users Report ↓ Triage ↓ Develop Fix ↓ Advisory Security Policy Threat Model
  4. 🕹 Adversarial thinking 💬 Communication 🤝 Network with others ⚙

    How is the software used? Develop Yourself ✅
  5. Security Policy • Where to submit reports? • What to

    include in reports? • What behavior is acceptable? ✅
  6. Triage Reports • Not a vulnerability? → Public issue •

    Otherwise: this is a vulnerability! • Calculate severity (CVSS) • CVE ID (Red Hat, GitHub)
  7. Developing Fixes • Optional for Security Contributor! • Involve relevant

    contributors • Proof-of-concept to test case • Review the fix
  8. Publish Advisory • Description of vulnerability • What versions or

    APIs affected? • CVE ID, Severity, Patch • Mitigations (how to fix without patch)
  9. Security work has clearer benefit to company Time vs. $$$

    Vouching via “@company” email ✅ Sponsored Time
  10. ✖ Joining a security team to read or “lurk” Access

    means you are active ✖ Acting on info prior to disclosure Others are put in danger! What to Avoid ❌
  11. Is secrecy hampering triage, fixing, or mental well-being? LLM-discovered reports,

    Low severity “Shadowing” or mentoring Accepting Help is Less Risky
  12. • Ticket-based Reports! • LLMs only evaluate source control •

    AGENTS.md • Ban bad actors, Code of Conduct Tooling & Process
  13. Thank you! Thank you Alpha-Omega for sponsoring security @ PSF

    sethmlarson.dev Links and Slides pyfound.blogspot.com Python Software Foundation Blog