DEV Community: OWASP BLT

Breaking Into Open Source This Summer? Start with OWASP BLT

saksh — Thu, 16 Apr 2026 15:31:47 +0000

As summer approaches, open source sees a steady wave of new contributors.
Each year, developers explore repositories, review issues, and look for meaningful ways to get involved.

The challenge is rarely writing code. It is understanding the system well enough to contribute effectively.

This summer, OWASP BLT is participating in the Social Summer of Code (SSOC), a three-month program focused on open source contribution, learning, and collaboration. It brings together contributors from diverse backgrounds to work on real-world projects, submit pull requests, and actively engage with the open source ecosystem.

About OWASP BLT

OWASP BLT (Bug Logging Tool) is a community-driven OWASP project developing open source tools for vulnerability reporting, bug tracking, and security automation.

The project spans APIs, dashboards, applications, bots, and ongoing research under OWASP. This is designed to make security workflows more practical, structured, and accessible for developers and teams.

Ongoing Deletion Program

Alongside regular development, OWASP BLT is running an ongoing deletion initiative.

Contributors review the repository, identify unused or unnecessary files, and remove them. Each valid contribution is rewarded with $1. This campaign will run till 30th April.

This effort focuses on:

Supporting the ongoing migration to separate and more structured repositories
Maintaining a clean and efficient codebase
Improving long-term maintainability
Helping contributors understand the structure of a real-world project

It also provides a simple and practical entry point for those beginning their open source journey.

Contribution Opportunities During SSOC

As the program progresses, more areas of the project will be opened for contribution, including:

Clearly defined and beginner-friendly issues
Opportunities across different parts of the stack
Active collaboration within the community

Whether you are exploring open source for the first time or looking to contribute to security-focused tooling, OWASP BLT offers a structured and meaningful way to get involved.

Get started 🚀

Explore the repository and start contributing:
https://github.com/OWASP-BLT/BLT.

🎉First PR? Get paid for it

Ananya — Wed, 01 Apr 2026 18:55:05 +0000

Introducing Dollar Deletions — a special campaign only for first-time contributors.

We know large codebases can be intimidating, so we are paying you $1 for your first accepted Pull Request where you safely delete unused or legacy code.

👉 Why are we doing this?

We are preparing for a major migration! To do this safely, we need to thoroughly clear out the existing repository. Your deletions will help us sweep away all the old files so we can seamlessly move our brand-new system into the clean repo.

🧹 Clean up real production code
🧠 Learn how large codebases work
🚀 Make your first open-source contribution
💵 Earn your first dollar online

How it works

Find dead or unnecessary code in our repository.
Submit your first-ever PR to remove it.
Pass the code review (your changes must not break existing functionality).
Get $1 via GitHub Sponsors!

📌 The Rules

This campaign is only for first-time contributors to this repo.
Your PR must include a clear explanation of what you removed and why.
The code must remain fully functional after your deletion.
Limited to one reward per contributor.

🏆 Bonus: Referral Leaderboard!

Spread the word and climb the ranks! You can refer others to this initiative. Just have the PR mentioning that you are referring a contributor as @user1 refers @user2 and link that PR to our mega issue. This will track the mention and boost @user1's rank on our referral leaderboard.

💡Not sure where to start? Look for issues labeled good-first-deletion to get your bearings.

👉Start here: OWASP-BLT/BLT

Your first PR shouldn’t be scary—it should be rewarding. We can't wait to review your code!

A Beginner’s Guide to Open Source Contributions (From My Journey and Mistakes)

Jayant Malvi — Tue, 31 Mar 2026 21:02:24 +0000

Hello everyone, I am Jayant Malvi. I am currently in 2nd year of my B.tech Computer Science in IIT Madras.

So my journey started way before I actually started contributing. I was really intrigued by the open source world and always wanted to contribute to organizations where my work is actually used by real people.

My first mistake was that I was just looking at how to start contributing—how to do GSoC and all that. I checked various GitHub repos, looked at good-first-issues, and always thought, “nah, I don’t know this, I won’t be able to contribute.” This was in my first year of college. Around the same time, I was also reading a lot about cybersecurity—networking, vulnerabilities, etc.

Then in my second year, one day in September, I explored OWASP projects and got introduced to OWASP-BLT. The idea of turning bug hunting and vulnerability findings into a gamified environment—with bounties, bacon—really caught my eye. That day I joined the Slack channel and messaged the maintainer, Donnie, about how I wanted to contribute. Donnie, being a great mentor, replied and helped me get started. That was the all the head start I needed.

I jumped into the codebase and started looking at pending PRs. My goal was simple: understand how the codebase works and how PRs are actually done. While setting up the project, I noticed tests were failing. I had no idea what those tests meant at first, but after digging into the codebase, I found there were two identical names causing the issue. I discussed it in Slack and raised a PR.

That’s when I realized—we really overcomplicate open source contributions. It’s honestly just about having the will to contribute and enjoying the process. From that day onwards, I caught momentum and never stopped.

The biggest advice I can give (it sounds simple, but it works): stop thinking so much and just jump into the codebase. At the start, you’ll feel like you don’t understand anything, but trust me—there will be a point where it just clicks, and after that it almost becomes addictive.

Another important thing: being involved in discussions. One of my mistakes was being too hesitant to talk or ask questions. I thought people might think I’m dumb or not professional. That mindset held me back for a while. What I later realized is—no one thinks like that. Everyone is learning. You should ask questions freely. The kind of knowledge you get from peers in these communities is something you won’t easily get elsewhere.

I also really liked how our maintainer, Donnie, introduced initiatives like requiring peer reviews for PRs. We have a strong peer network in BLT where everyone helps each other. A big part of my journey was reviewing PRs—this helped me understand the project better and learn about common mistakes like N+1 queries, deduplication issues, etc. I’d strongly recommend reviewing PRs—it helps others and sharpens your own understanding.

One of the major things I worked on was BLT-Zero. It’s a core part of OWASP-BLT where anyone can send vulnerabilities report to target organizations through a zero-trust workflow—no plaintext storage, mail with encrypted zips, hashes for decryption. This project is really close to me. I started working on it in November, it grew into a community project(in BLT-Zero repository, feel free to join us), and now we’re really close to sending the first vulnerability mail. I’m genuinely excited about that.

There are also many other community projects like BLT-Leaf, BLT-SafeCloak, and more across different domains ,you can contribute to domains that interests you and learn a lot. We’ve also started an initiative for new contributors to help reduce technical debt by making deletion PRs. It’s a great way to get started and understand the project better.

Today the GSoC proposal deadline ended. What I really liked is how my perspective has changed. Around 6 months ago, GSoC felt like just a program to get into. But now, it felt like I’m actually building my own project from scratch and trying to make it as good as possible in the organization which is really close to me. The time I spent researching and writing my proposal was quite a lot, but I enjoyed the whole process more than I expected.

Looking back, I’ve really enjoyed these last 6 months of contributing. I just wish I had joined in the fun earlier. The peer group I found here is one of the most supportive I’ve seen. I’ll keep contributing and see BLT grow into one of the biggest security projects out there.

And finally, a special thanks to our maintainer, Donnie for the constant guidance and for helping me grow as a contributor. The discussions we had around new ideas and improvements—and the way you always encouraged them—were easily the best part.

If you’re someone thinking about starting open source—just start. That’s it. You are always welcome at OWASP-BLT.

Designing the Face of OWASP BLT: Three New Creative Challenges 🎨✨

Ananya — Fri, 20 Mar 2026 15:33:34 +0000

If you’ve been following our journey, you know that OWASP BLT is evolving. We’re streamlining our mission and modularizing our code, but a project is only as strong as its identity. We want the "front door" of our project to reflect the innovation happening behind the scenes.

We are officially inviting the creative community to help us redefine our look and community interaction through these design contests:

1. The Video Meme Contest 🎬

Who says security has to be serious all the time? We’re looking for the most creative, relatable, or just plain hilarious video memes that capture the "bug hunting" struggle or the spirit of the OWASP community.

Prize: $10
Deadline: April 15, 2026

👉 View Video Meme Contest Details

2. The Logo Design Contest 🕵️

The OWASP BLT logo is more than just an icon; it’s a symbol of security and community accountability. We’re looking for a fresh, modern take on our visual identity. Whether you’re a minimalist or a fan of bold, "hacker-y" aesthetics, we want to see your vision.

Prize: $25
Deadline: April 15, 2026

👉 View Logo Contest Details

3. The Homepage Redesign Contest 💻

We want our landing page to be as intuitive and high-performance as the tools we build. This is a challenge for the UI/UX enthusiasts—how would you structure the first experience a researcher or contributor has with BLT? Show us your layouts, your transitions, and your vision for a better user experience.

Prize: $25
Deadline: April 15, 2026

👉 View Homepage Contest Details

Why get involved?

Open source isn’t a gated club for "genius coders." It’s a space for anyone who wants to build something that matters. By participating in these contests, you’re not just submitting a file; you’re interacting with the OWASP BLT repository, getting your name on the contributor list, and helping us shape the future of the project.

Start small, design bold, and let’s see what you can create.

The Great OWASP BLT Cleanup: Delete a File, Join Open Source

Donnie Brown — Mon, 16 Mar 2026 23:16:25 +0000

The OWASP BLT project is entering a new phase.

Over time, the main repository grew into a large monolith containing many different components. To make the project easier to maintain and contribute to, we’re migrating from a single repository into multiple focused repositories.

During this transition, we’ve paused new additions to the main repo while we move components into their own homes.

But instead of doing the cleanup alone, we decided to turn it into a community challenge.

🧹 The Great OWASP BLT Cleanup

Want to contribute to open source in the easiest possible way?

Delete a file.

Each contributor can submit one pull request that removes a single file from the repository. That’s it.

As components move to their new repositories, the community will help gradually bring the original repo down to zero files.

Think of it like a collaborative game where every PR moves the project one step closer to its next chapter.

Why We’re Doing This

This campaign helps us:

Trim down the original repository during the migration
Give first-time contributors an easy entry point to open source
Teach the basics of forking, branching, and pull requests
Create a fun community moment around the transition

Once the repository is empty, we’ll replace it with a lightweight version that reflects the project’s new structure.

The Rules

To keep things fair:

🗑 One file deleted per contributor
🔁 No multiple deletion PRs from the same person
🧩 Only one file per pull request
🌱 Contributors are encouraged to join the new repositories afterward

This ensures more people can participate.

Perfect for First-Time Contributors

If you’ve ever wanted to contribute to open source but didn’t know where to start, this is a great opportunity.

You’ll learn how to:

Fork a repository
Create a branch
Commit a change
Open a pull request

All with almost zero technical complexity.

Want to Do More?

After submitting your deletion PR, feel free to jump into the new BLT repositories and contribute real features, fixes, or improvements.

This campaign is just the first step into the community.

Let’s Clean It Up Together

Every deleted file means:

one step closer to the new architecture
one new contributor joining the project
one small win for open source collaboration

Find a file. Delete it. Submit your PR. 🚀

Welcome to the cleanup crew.

OWASP BLT Github Repo

The Transition: From Intent to Integration

Ananya — Wed, 11 Mar 2026 18:15:45 +0000

I had defined my "why" and mapped out a vision for GSoC 2026. However, the last few weeks have shifted my focus from the abstract goal to the granular reality of open-source contribution. The momentum I gained from the past few months of contributions, has evolved into a disciplined daily rhythm.

The gap between planning and execution is where the most significant learning occurs. In my previous update, I spoke about the "Plan." Since then, I have moved past simply archiving organizations to actively living within the repositories of OWASP BLT. I will share more insights on those in the upcoming posts.

The Recent Progress

A major technical highlight of these past two weeks was my deep dive into HTMX. While my foundation in the MERN stack is solid, exploring HTMX allowed me to view web development through a different lens—focusing on simplicity and high-performance transitions without the overhead of heavy JavaScript frameworks.

I successfully implemented a project using HTMX, which served as a practical laboratory for my learning. This experience taught me that being an engineer isn't just about sticking to what you know; it’s about the agility to adopt the right tool for the specific problem at hand. Integrating this into my workflow has made my contributions more versatile and informed.

The Momentum of the Merge

The most rewarding aspect of this period has been the "merged" status on my Pull Requests. There is a specific kind of validation that comes from having code reviewed by experienced maintainers and then integrated into a real-world repository. Each merged PR represented a hurdle cleared—whether it was navigating a complex file structure, adhering to strict coding standards, or resolving merge conflicts that initially seemed daunting.

Through this process, I have begun to overcome the hesitation I previously mentioned. Being active on GitHub and participating in PR discussions has forced me to communicate my logic clearly and accept feedback professionally. I am no longer just a spectator in these communities; I am a contributor, or better say an "Active Contributor"

Revamp of the main BLT home page as BLT Pages

Being involved in the launch of the new BLT Pages home page from both a development and a strategic perspective provided a holistic view of software delivery. It taught me that a successful launch requires more than just clean code; it requires a narrative that connects the technology to the user. This experience has been pivotal in addressing my previous goal of improving proactive communication and overcoming my hesitation in professional settings.

Technical and Community Growth

My commitment to upskilling remains a constant. While I work on the frontend and strategy for BLT, I continue to strengthen my backend capabilities and practice Data Structures and Algorithms in C++. My roles in GDG on Campus and the FLUX Society continue to provide a necessary balance, reminding me that while coding is often a solitary act, building great software is a communal effort.

Looking Ahead

The next few weeks will be about sustaining this velocity. The momentum from the last fourteen days has replaced the "magic" of open source with something more sustainable: the confidence that comes from consistent, meaningful work.

I will continue to deepen my involvement with the BLT core team, ensuring the momentum of the new home page launch is maintained. I am also beginning to translate these practical experiences into the initial framework of my formal GSoC proposal, using my recent contributions as a proof of concept for my potential as a long-term contributor.

See you in the next post. Let's make it happen!

Next Week Is Going to Be Pure Chaos!!

rp_dex — Sat, 07 Mar 2026 16:40:41 +0000

Next week my life will become a distributed system under heavy load.

Why??

Because three things are happening at the same time:

College midsems starts Monday

GSOC proposal writing

Trying to push open source PRs before deadlines

Which means my schedule next week looks something like this:

9:00 AM -> Study for midsem
11:00 AM -> Panic
12:00 PM -> Debug failing PR
2:00 PM -> Realize I studied the wrong subject
4:00 PM -> Write proposal draft
6:00 PM -> Coffee
7:00 PM -> Another PR review request appears
9:00 PM -> Existential crisis
2:00 AM -> Finally understand the code
2:05 AM -> Maintainer asks for rebase

The Academic vs Open Source Conflict

Professors expect to focus on my exams..
Maintainers expect “Can you update the PR with the latest changes?”
My brain expects Sleep

None of these expectations are being met.

The Midsem Preparation Strategy

Open the syllabus.
Realise I should've started earlier.
Open GitHub instead.
Convince myself fixing a bug is “productive studying”..

Proposal Writing Mode

Writing proposals is a special experience.

You start confident

“This project idea is brilliant.”

Two hours later

“Do I even understand my own architecture?”

Four hours later

“Maybe I should become a farmer.”

Reality of the Week

By Thursday the system will degrade into:

caffeine driven coding

last minute studying

refreshing GitHub notifications

pretending everything is under control

Spoiler: it will not be under control.

Final Thoughts

Next week is either going to be:

extremely productive

an absolute disaster

But either way…

there will be commits..

Why Owasp BLT ? Contribution from 5 to 50+ prs !

Md Kaif Ansari — Sat, 07 Mar 2026 16:40:02 +0000

It was the time when I thought to get some open source contribution after I was done from my internship. I was heavily into TS/JS ecosystem and started finding projects for the same.

So I went to gsocorganizations.dev to find some organization, then I just applied the filter for web and started scrolling. Most of the orgs were either too big to get started or had zero activity; you know the type, last commit 8 months ago, issues with no responses.

Then I saw OWASP BLT.

Honestly my first reaction was, what even is this? A bug logging tool with BACON tokens and a leaderboard? Sounded like someone mixed a bug bounty platform with a gamified Reddit. I was skeptical. But the repo had recent commits, open issues with responses, and the maintainer (Donnie) was actually replying to people. That was enough for me to at least clone it.

The First PR — Small But It Counts

I spent the first few days just reading the codebase. BLT runs Django on the backend, has a Cloudflare Workers API layer called BLT-API, a Chrome extension, a Flutter app, and about 30+ other sub-repos. It's not a small project.

My first PR was tiny. A small bug fix; nothing fancy. I wasn't even sure it would get noticed. But it got reviewed, commented on, and merged within a couple days. That was the moment I thought okay, this is actually active, people are paying attention here.

That one merged PR basically hooked me in.

Going Deeper — BLT-API and the D1 Migration

After a few more small PRs I started digging into BLT-API; the Cloudflare Workers layer. This is where things got interesting and also where I spent most of my time.

The project was in the middle of migrating from a traditional database setup to Cloudflare D1 (basically SQLite at the edge). Nobody had fully done it yet. I looked at the codebase, figured out what was missing, and just started doing it.

The D1 migration ended up being a bigger chunk of work than I expected — schema design, migration files, bugs API, user schema, 2FA auth with Mailgun, domain routing. At some point I realized I had context on this entire layer that very few other contributors had.

That's kind of how it happens with open source. You don't plan to become the person who knows X. You just keep pulling threads until suddenly you're the one explaining it to others.

Talking to Donnie

One thing that kept me going was that Donnie was actually there. Not just merging PRs silently — actually talking, discussing direction, pushing back when something didn't make sense.

I remember one conversation where I brought up whether we should migrate to wrangler@latest and clean up some of the utility functions. I laid out both sides; old version is stable and working, new version is cleaner for contributors but we might break things. He just said "I like this improvement" and we went from there.

That kind of back and forth made it feel less like contributing to a repo and more like actually building something with someone. That changes how you approach the work.

5 PRs to 50+

Looking back at how it went from 5 to 50+ PRs; it wasn't a strategy. I didn't sit down and think "I'm going to contribute a lot." It was more like every time I fixed something I found two more things that needed fixing. And every time I went deep on one layer I found connections to other layers I wanted to understand.

BLT is genuinely a weird project in the best way. It has a bug bounty platform, blockchain rewards, a PR readiness checker, an AI code review bot, a Slack bot, a web scanner agent; all as separate repos that loosely connect. Once you start understanding how it fits together it's hard to stop.

By the time I had 50+ PRs merged across 10+ repos I realized I wasn't just a contributor anymore, I actually understood the system. Not just one part of it, the whole thing.

That's when I started thinking about GSoC.

Why BLT Specifically

There are bigger projects. More popular ones. Ones with better documentation and easier onboarding.

But BLT had something most of them didn't; room to actually build things. Not just fix typos or update dependencies, but design and implement real features. The kind of work where you're making decisions that actually affect how the platform works.

If you're looking for an open source project to contribute to and you want to go from zero to genuinely understanding a real production system; BLT is worth the initial confusion. Push through the first few PRs, get into the codebase, find the thing that interests you and go deep on it.

The BACON tokens are optional. The learning isn't.

The first step in open source

saksh — Wed, 04 Mar 2026 13:08:02 +0000

Back in October, I read a blog by GSoC contributor.

He talked about how he started, how he discovered open source, what he worked on, and how his journey unfolded. I already knew what open source was. I knew what GSoC was. I had watched the videos. I had read many blogs too.

But knowing something and stepping into it are two very different things.

I had this quiet dream of one day having that GSoC badge on my profile. And to have that, you need to contribute to open source.

But my brain kept whispering:

“What if you change one line of code and accidentally take down production?”

There’s also this narrative you sometimes see online that students (especially from India) “pollute” open source with low-quality contributions.

So my biggest fear wasn’t just breaking production with my code but also criticism .

In that blog, he mentioned his first PR in OWASP BLT. It was a small simple pr. And I thought if I could find something like that, maybe even I can contribute. So, I explored the organization.

Every page.

Every link.

Everything just to spot a small issue which I could handle.

And after some chaotic scrolling and determined clicking, I found what felt like buried treasure:

A broken link in the contribution guide. It was just a small href issue.
It really felt like mirage lol. I went to their repo , read the contributing guidelines, I set up the codebase and installed all the prerequisites.

When I solved the issue, the pre-commit kept failing. And I was like this is the end. It’s not going to work. It took me 5 hrs to solve everything. Eventually it worked and I raised the pr on 1st november 2025.

drum roll

And the very next day pr was merged.

Press enter or click to view image in full size

I remember, I kept visiting the site just to check my change lol. That tiny broken link was my entry into OWASP BLT and open source as whole.

And I’ll always be grateful for the blog, BLT.

Because fast forward to today, I have 20+ prs merged in this org.I learned how to interact with maintainers, contribute to real-world problems, and even give peer reviews.

I used to think open source was reserved for genius developers , turns out all I needed one first step forward.

If you’re still reading and hesitating. Go and explore https://github.com/OWASP-BLT.
You might find your own “broken href” moment.

And that tiny fix?
It might quietly change your trajectory.

Like it changed mine.

And yes, don’t treat open source like a competitive exam.

It’s about learning by working on real-world applications.

It’s about realising that your small change can help many people. That feeling is so powerful.

I hope it helps ;))

A New Chapter for OWASP BLT: Our Website Revamp is Live! ✨

Ananya — Wed, 04 Mar 2026 04:33:53 +0000

We are thrilled to announce that the new OWASP BLT site at owaspblt.org is officially live. This revamp isn't just about a fresh coat of paint; it’s a complete reimagining of how we interact with our community. The new interface is designed to be intuitive, making it easier than ever for researchers and contributors to navigate bug logs and engage with our security tools.

While we look toward the future with this new UI, our roots remain deep in the open-source community. This project has been active for over a decade, including eight years of participation in Google Summer of Code (GSoC). This long history has allowed us to collaborate with brilliant students worldwide, helping us evolve from a large, complex codebase into the streamlined, mission-driven ecosystem we are today.

A core part of this evolution is our move toward absolute security in responsible disclosure. Our involvement with OWASP led us to develop BLT Zero, a pioneering Zero Trust vulnerability reporting platform. By ensuring sensitive details are never stored on a central server, we’ve created a disclosure process that is inherently resistant to compromise—a standard that is now reflected in our new digital home.

To support this growth, we are migrating key components of our architecture into independent repositories, making it simpler for new contributors to get involved. We invite you to explore the new site, Join our Slack, or submit a pull request. Together, we’re building a more secure and transparent internet for the next decade and beyond. 🚀

Open Source Journey: Contributing to OWASP BLT

Arnav Kirti — Tue, 03 Mar 2026 18:27:48 +0000

Introduction

I started my journey with open source when I was applying for Summer of Bitcoin ’25 and got rejected in the proposal round. It was a setback for me, yes. But after that, I worked on my skills and changed my approach.

This time, my goal was not just to get selected somewhere. I wanted to choose an organization that I genuinely liked and contribute to it in such a way that even if I didn’t get selected, I would still be proud of the real-world progress and contributions I made.

That’s when I started exploring, and OWASP caught my attention — especially its BLT (Bug Logging Tool) project. One of the most positive things about the community was how welcoming everyone was. Donnie guided us even through small, seemingly silly steps without ever making us feel small. That support meant a lot.

This was the phase that shifted me from “building projects” to “contributing to a production project.” And that shift changed everything.

What is OWASP BLT?

OWASP BLT (Bug Logging Tool) is an open-source OWASP project that provides a single landing page and workflow for collecting public bug reports, safely routing sensitive security vulnerabilities to BLT-Zero, and giving transparent recognition to contributors through a live leaderboard driven by GitHub issue activity.

It follows a security-first approach and has a very active community behind it. At the same time, it is beginner-friendly, which makes it a perfect place for anyone who wants to start contributing to open source without feeling overwhelmed.

My Learnings

The things I learned while contributing are not limited to coding.

I learned better communication — how to explain ideas clearly, how to ask the right questions, and how to respond to feedback properly. I learned how to understand large codebases and think with a security-first mindset instead of just “making things work.”

Another interesting aspect of BLT is how openly it embraces AI. It actively encourages contributors to use AI tools in their workflow and even integrate AI into development practices. That exposure changed how I approach problem-solving and coding in general.

Peer reviews were another huge learning experience. The feedback I received on my PRs helped me improve a lot. At the same time, reviewing others’ PRs forced me to deeply understand their code, logic, and design decisions — which was learning in itself.

Honestly, I can say I’ve learned more in these past few months contributing to BLT than in the previous year of building projects just to impress myself and then leaving them unfinished. (Sad reality of most side projects.)

Contributing consistently to a real production project feels different. It feels meaningful.

Advice to New Contributors

My advice to new contributors is simple: start small.

Don’t be overwhelmed. OWASP is a very beginner-friendly organization. If you are respectful to your peers and genuinely willing to learn, the community will always welcome you — even if you don’t know everything yet or are still figuring things out. (Just got reminded of the favorite rat of our huddles.)

Don’t be afraid to ask questions.
Respect maintainers’ time.

And most importantly — stay consistent.

Chase this dopamine guys!!!

Thanks for reading!

My Journey Into Open Source and My First Big PR

Nachiket Roy — Tue, 03 Mar 2026 07:18:27 +0000

I heard about open source around a year ago, and honestly, I didn’t jump in out of excitement - it was pure curiosity. I just wanted to see how things worked behind the scenes. So I started exploring the good-first-issue label on GitHub, picked some random repos, forked them, committed a few changes, and slowly figured out the whole contribution workflow.
Back then, I also knew about GSoC - Google Summer of Code - but only at a surface level. To me, it was simply “contribute → get selected.” I had no idea how big real-world codebases could be or how overwhelming they might feel.

Finding My Direction: OWASP

While browsing blogs about how to get started, almost everyone suggested reading previous years’ GSoC write-ups. So I did. And while reading those posts, one organization suddenly stood out: OWASP.

The reason was simple - I already knew about the OWASP Top 10. Out of hundreds of unfamiliar organizations, OWASP felt like a place where I at least understood the purpose.

As I explored further, projects like NEST, CRE, and BLT started popping up. I leaned toward NEST at first because I’m more comfortable with TypeScript. BLT looked really interesting, but I had zero experience with Django or Python.

And then came the twist.

The Blog That Changed Everything

I found a GSoC blog written by a contributor. They had built four security labs for the BLT project and the write-up was so friendly that it gave me confidence:

“I may not know the stack, but I can surely replicate this and extend it.”

That belief was strong enough for me to try. Plus, I knew I could use AI tools to understand things. How hard could it be?

Well… harder than I expected.

My First PR: The Reality Check

I replicated the labs, joined the Slack workspace, got confirmation, and made my PR in October:

Added Labs: Under Security Labs Added More Labs #4628

Nachiket-Roy posted on Oct 14, 2025

Added more labs in security labs section closes #4784

To seed labs and their tasks simply run : python manage.py seed_all_security_lab

Summary by CodeRabbit

Refactor
- Restructured task detail page into clear, per-lab sections for payload exercises (SQLi, XSS, CSRF, Command Injection, Broken Auth, IDOR, File Upload, Sensitive Data Exposure, Open Redirect, SSRF)
- Unified and simplified MCQ and simulation submission flows and result display with consistent styling driven by correctness
- Minor formatting and structural template cleanups
Chores
- Added a management command to seed the six security labs and their tasks for testing/dev environments

View on GitHub

The moment I asked for a review, reality hit.
Replication wasn’t as simple as copy → paste → commit.

I had:

added irrelevant files
failed pre-commit checks
triggered Sentry and CodeRabbit warnings I didn’t even understand
and generally made every beginner mistake possible

After a lot (and I mean a lot) of back-and-forth, and with patient help from the maintainer - Donnie, I finally cleared everything. One month later, the PR was merged. And that changed everything for me.

From Zero Momentum to Light Speed

Once that first PR got merged, it was a massive boost.

I started reading issues, picking tasks, opening PRs, getting reviews, fixing things, and before I knew it, I had multiple PRs merged in the same month. The slow start turned into full-speed progress.

We were also encouraged to review others’ PRs. I didn’t really know how to do that, so I watched how other contributors reviewed code and followed their patterns. Tools like CodeRabbit and Sentry helped; they taught me how to reason about code warnings.

I also started recognizing common patterns in the backend:

N+1 query problems
cache stampede issues
repeated logic patterns
places where optimizations were needed

I wasn’t an expert, but I was learning how to spot things. I used Copilot and CodeRabbit to understand unfamiliar parts of the repo and slowly built a mental map of its workflow.

Where I Am Now

From that first confused PR to today, the journey has been wild.
I now:

understand the repo’s structure
can navigate issues, commits, and workflows confidently
know how reviews function
contribute regularly
and feel genuinely connected to the project

What started as a random attempt to explore open source turned into something meaningful that i want to continue growing in.