by Ojaswa | Pre-Final Year CSE, AKTU
The Scroll That Started Everything
It was a regular Tuesday night. My laptop fan was whirring, I had three cold cups of chai on my desk, and I was doing what every GSoC-hopeful does in January: doom-scrolling through gsocorganizations.dev with the desperate energy of someone hunting for WiFi in a basement.
Most orgs felt like one of two things — either dead (last commit: 2019, last PR merged: archaeology required) or too big (Linux kernel contributors who've forgotten what "beginner-friendly" means). My brain kept whispering "You're a third-year from AKTU. Who's going to pick you?"
Then I saw OWASP BLT.
Bug Logging Tool. Okay, normal enough. But then I read further. BACON tokens. Leaderboards for hackers. A mix of Django on the backend and Cloudflare Workers running edge functions. A mobile app. A browser extension. Something called "Sizzle." Something else called "BLT-Preflight" — a tool meant to save contributors from themselves (ironic, considering what happened next).
I laughed out loud — alone — at 1 AM.
Was this a project or a startup someone accidentally open-sourced? I was skeptical. But pure curiosity got me to click "Explore Repos," and honestly, that single click changed the next month of my life.
The Terror of 30+ Sub-Repos
Here's what nobody tells you about jumping into a mature open-source ecosystem: the sheer size of it is a physical sensation.
OWASP BLT isn't one repo. It's an entire constellation. You've got the core Django app handling bug reports, authentication, and scoring logic. You've got Cloudflare Workers sitting at the edge, talking to Cloudflare D1 — SQLite-at-the-edge, which is as cool as it sounds and as confusing as it sounds. You've got the Sizzle app. You've got BLT-Leaf. You've got schemas connecting things in ways that weren't immediately obvious to me.
And here's the thing — I joined right when the team was in the middle of planning to break the monolithic BLT repo into multiple sub-repos. So nothing was fully settled yet. Repos were being created, responsibilities were shifting, and the architecture was mid-transition. I remember staring at the list thinking: "If I touch the wrong file, I will take down production for actual security researchers."
Imposter syndrome didn't knock on my door — it walked in, sat on my couch, and started ordering food.
I almost closed the tab. I'm glad I didn't.
The Broken Link That Broke Me Open
My first contributions weren't flashy features. One was a Windows setup guide for BLT-Leaf — documenting the PowerShell equivalents that nobody had written down yet. The other was a unit test for messaging email notifications in the core BLT repo.
Not glamorous. But real.
Here's the thing about OWASP BLT's setup: they have a full CI workflow configured to catch issues before your code ever touches the repo. pre-commit handles linting and formatting the moment you type git commit. Then CodeQL kicks in for code analysis, and the broader workflow handles testing and everything else on top of that.
My first commit attempt? Failed. My second? Failed differently. My third through tenth? A masterclass in reading error messages I didn't understand and Googling solutions at 2 AM.
The pre-commit hooks kept flagging things — trailing whitespace, import ordering, a YAML file I'd touched without realizing the formatter would have opinions about it. Every failure felt like the project was personally telling me I didn't belong.
But on attempt eleven, something changed. The hooks passed. I pushed. I opened a pull request with a description that was probably too long for a one-line fix.
And then — the purple merge button.
If you've never had a PR merged into a project you respect, I cannot fully explain what that feels like. It's small. It's objectively tiny. But it's real. Someone on the other side of the internet looked at your work and said, yes, this belongs here now.
My imposter syndrome didn't disappear. But it moved off my couch and at least went to wait in the hallway.
The PR That Taught Me More by Failing
Momentum is a dangerous thing when you've just tasted your first merge.
I noticed inconsistent formatting across the codebase. "I'll fix all of it," I thought — classic beginner trap. I reformatted 48 files in one PR.
Technically correct. Completely wrong.
Donnie's comment hit like a cold shower:
"PRs must be atomic and focused. One concern per PR."
Eight words. But they exposed something deeper — I'd been thinking like a student, not a contributor. Students submit assignments. Contributors build trust, one reviewable change at a time.
I closed that PR. Opened seven focused ones instead.
That "failed" PR was worth more to me than any merged one.
The Part Nobody Puts in Their GSoC Blog: The People
Here's what surprised me most about OWASP BLT: it's a conversation, not just a codebase.
Donnie has been the kind of maintainer you hope to find — direct, honest, and fast. The "atomic PR" lesson I wrote about? That was him. But it didn't stop there. Every review, every comment, every nudge has been the kind of feedback that makes you better without making you feel small.
Then there's Ramansh Saxena, who has a gift for explaining why an architectural decision matters, not just what it is — the FastAPI patterns I was fumbling through started making sense the moment he walked me through the reasoning.
And then there's Nachiket Roy — a peer, not a mentor — who somehow managed to be the first person I'd ping when I was stuck, and the first to respond. That kind of instant, no-judgment help from someone going through the same thing is something I didn't know I needed.
Open source, at its best, is mentorship at scale. Every PR review is a free lesson from someone who's already made the mistakes you're about to make. I didn't expect to feel like part of a community this fast. But that's what the right project does to you.
Your Broken Link Is Waiting
One month in. Still learning something new every day. The GSoC badge matters — but the real prize is this: production-level learning, in a real codebase, with people who give real feedback. You can't buy that in any course.
Here's the thing nobody tells you — the bar isn't talent. It's showing up.
Your first PR doesn't need to be impressive. It needs to be real.
Find the broken link. Let the pre-commit hooks fail ten times. The purple merge button is closer than you think.
Go find your broken link.
🚀 Start Contributing to OWASP BLT
Ojaswa is a 3rd-year CSE student at AKTU and a contributor to OWASP BLT, applying for GSoC 2026.
Tags: #GSoC2026 #OpenSource #OWASP #OWASP-BLT
Top comments (0)