Hi folks! New around here so please forgive any misunderstandings 
I was looking through warehouse on GitHub and PyPA documentation about individual membership, and it looks like most of the time people join PyPA projects by becoming a maintainer. Are there other ways to get involved with PyPI, such as volunteering specifically to help triage external reports (ex. malware on PyPI, typosquatting, etc.)? Iād love to help out where I can!
Hey Chris, thanks for your interest.
Right now, the reporting process for malware on PyPI is to essentially email the PyPI admins, and right now the admins review every report. Even if we had triagers, weād probably want to continue doing this to ensure we arenāt removing false positives. Additionally, almost all reports are valid, so triaging wouldnāt really cut down on the number of reports we have to process.
That said, if youāre interested in contributing to the effort to reduce malware and improve response times to reports, working on steps towards improving our reporting infrastructure would probably be the most impactful, or even working on making the code introspection tool that reporters use more useful.
Happy to support any of those efforts if youāre interested in getting started!
Totally agreed that a security triage desk that forwards vast-majority-valid reports up to administrators would not be adding value!
But Iām more approaching this from the perspective of: if someone put in the work to become a reliable and trusted malware reporter, would there be space at the administrator table for them to help with security related tasks? Ideally so maintainers can focus on maintaining & building new stuff, instead of sifting through abuse reports. I love digging through malware much more than I love writing code, personally!
Though do note that this is not a āplease gib admin, I can be trusted, definitely not evilā post - Iām just wondering if the ownership model allows for that currently, or if the āonlyā way in is through becoming a maintainer. Yāall are getting malware reports from me anyway - five packages and counting! - so itās just a āwondering for the futureā thing 
Not quite the answer to your question, but given that we already have a strong pool of malware reporters (and thereās a lot of overlap between their reports) I could see implementing a policy that a given project could be taken down automatically if N unique (and uniquely-affiliated) reporters all report it, which would speed up takedowns and reduce burden without reporters having to do more work.
(Worth noting that right now, thereās also no good way for us to provide differentiated permissions for ācan remove malwareā and ācan remove anything on PyPIā, so what youāre asking for is essentially the latter, which we tend to be careful with 
)