How Curiosity Pulled Me Toward Open Source

Shubhang pathak — Sun, 15 Mar 2026 21:08:26 +0000

For a long time, open source was something I knew about but never truly touched.

You know how it goes.
You see GitHub repositories with thousands of stars, dozens of contributors, complex folders everywhere… and your brain quietly says:

Maybe later

Later can last a very long time.

For me, it lasted until recently when I made my first ever PR in OWASP.
It was actually a pretty small one. I changed a few things in BLT Monitor.
But it counted. And this is that story.

My Background

I'm Shubhang, currently pursuing my Master of Computer Applications from Pune. My recent work involves building automation workflows and full stack systems using Python, LangChain, FastAPI, and React.

I built things. Learned things. Broke things. The usual.

But there was always this quiet awareness in the back of my head that everything I was building lived in my own little bubble. My repos. My ideas. My comfort zone.

Open source kept appearing on the edges of that bubble.

But honestly? Large repositories are intimidating. Hundreds of files. Active contributors. CI pipelines running everywhere. Automated bots reviewing your code before any human even looks at it.

My brain did what most beginners "tried to avoid it".

The GSoC Rabbit Hole That Led Me Here

At some point, "maybe later" ran out.

I started reading about GSoC (Google Summer of Code) and quickly discovered that the actual advice wasn't "be a genius." It was quieter than that. Almost every blog said the same thing:

Start small. Understand the project. Show up consistently.

So I started reading GSoC write-ups from previous years. Dozens of them.

And somewhere in that reading, OWASP started appearing more than others to me because right now i was exploring mcp servers and I found out their repo for BLT-MCP.

I already knew about the OWASP Top 10: security basics, web vulnerabilities, the kind of stuff that shows up in every security conversation. That familiarity made OWASP feel like something I could at least understand the purpose of, even if I didn't yet understand the codebase.

That's how I found OWASP BLT.

First Look at BLT

My first instinct when I found the BLT repository was not to immediately open an issue and start typing.

I cloned it. Read through it. Looked at merged PRs. Read through open issues.

I was basically doing what I now recognize as orienting building a mental map before moving.

This is something I'd genuinely recommend to anyone starting out.

You don't need to understand everything. You just need to understand enough to take a first step without completely breaking something important.

My Contributions

Here's where I'm going to be real with you, because the dev.to ecosystem has enough success polished stories.

I didn't do a lot. And most of what I tried didn't land perfectly.

My first attempts? didn't get merged.

But I kept going.

Eventually, I got a UI fix merged on BLT Monitor.

Small. Clean. Accepted.

And I cannot fully explain why that felt significant, but it did.

Something shifts when a maintainer reviews your work and says yes, this belongs here. Even if it's one line. Even if you spent three times longer on it than you expected to.

Here's what else I'll be transparent about every PR you open might not get merged.

I also opened a PR around integrating the OWASP MCP into the GitHub MCP ecosystem. It's still pending. Hasn't been merged yet right now. And that's okay.

That's a lesson too.

Learning to sit with a pending PR without spiraling is its own kind of skill that nobody really prepares you for. Lol.

Where I Am Right Now

Honestly?

Still exploring. Still learning.

I'm not going to dress that up as a dramatic arc.

But I'm also someone who went from "open source is intimidating, maybe later" to someone who has code sitting inside an OWASP project. Small as it may be.

That's not nothing.

And if you're somewhere at the beginning of this same journey feeling slightly lost, slightly intimidated, unsure if your contribution is even worth opening a PR for just know that every person in that repo started exactly where you are right now.