It was the time when I thought to get some open source contribution after I was done from my internship. I was heavily into TS/JS ecosystem and started finding projects for the same.
So I went to gsocorganizations.dev to find some organization, then I just applied the filter for web and started scrolling. Most of the orgs were either too big to get started or had zero activity; you know the type, last commit 8 months ago, issues with no responses.
Then I saw OWASP BLT.
Honestly my first reaction was, what even is this? A bug logging tool with BACON tokens and a leaderboard? Sounded like someone mixed a bug bounty platform with a gamified Reddit. I was skeptical. But the repo had recent commits, open issues with responses, and the maintainer (Donnie) was actually replying to people. That was enough for me to at least clone it.
The First PR — Small But It Counts
I spent the first few days just reading the codebase. BLT runs Django on the backend, has a Cloudflare Workers API layer called BLT-API, a Chrome extension, a Flutter app, and about 30+ other sub-repos. It's not a small project.
My first PR was tiny. A small bug fix; nothing fancy. I wasn't even sure it would get noticed. But it got reviewed, commented on, and merged within a couple days. That was the moment I thought okay, this is actually active, people are paying attention here.
That one merged PR basically hooked me in.
Going Deeper — BLT-API and the D1 Migration
After a few more small PRs I started digging into BLT-API; the Cloudflare Workers layer. This is where things got interesting and also where I spent most of my time.
The project was in the middle of migrating from a traditional database setup to Cloudflare D1 (basically SQLite at the edge). Nobody had fully done it yet. I looked at the codebase, figured out what was missing, and just started doing it.
The D1 migration ended up being a bigger chunk of work than I expected — schema design, migration files, bugs API, user schema, 2FA auth with Mailgun, domain routing. At some point I realized I had context on this entire layer that very few other contributors had.
That's kind of how it happens with open source. You don't plan to become the person who knows X. You just keep pulling threads until suddenly you're the one explaining it to others.
Talking to Donnie
One thing that kept me going was that Donnie was actually there. Not just merging PRs silently — actually talking, discussing direction, pushing back when something didn't make sense.
I remember one conversation where I brought up whether we should migrate to wrangler@latest and clean up some of the utility functions. I laid out both sides; old version is stable and working, new version is cleaner for contributors but we might break things. He just said "I like this improvement" and we went from there.
That kind of back and forth made it feel less like contributing to a repo and more like actually building something with someone. That changes how you approach the work.
5 PRs to 50+
Looking back at how it went from 5 to 50+ PRs; it wasn't a strategy. I didn't sit down and think "I'm going to contribute a lot." It was more like every time I fixed something I found two more things that needed fixing. And every time I went deep on one layer I found connections to other layers I wanted to understand.
BLT is genuinely a weird project in the best way. It has a bug bounty platform, blockchain rewards, a PR readiness checker, an AI code review bot, a Slack bot, a web scanner agent; all as separate repos that loosely connect. Once you start understanding how it fits together it's hard to stop.
By the time I had 50+ PRs merged across 10+ repos I realized I wasn't just a contributor anymore, I actually understood the system. Not just one part of it, the whole thing.
That's when I started thinking about GSoC.
Why BLT Specifically
There are bigger projects. More popular ones. Ones with better documentation and easier onboarding.
But BLT had something most of them didn't; room to actually build things. Not just fix typos or update dependencies, but design and implement real features. The kind of work where you're making decisions that actually affect how the platform works.
If you're looking for an open source project to contribute to and you want to go from zero to genuinely understanding a real production system; BLT is worth the initial confusion. Push through the first few PRs, get into the codebase, find the thing that interests you and go deep on it.
The BACON tokens are optional. The learning isn't.
Top comments (1)
Reading this was awesome. This is exactly how BLT is meant to work — someone starts with curiosity, ships a small PR, and before long they’re deep in the system helping shape where things go next. Watching contributors grow from that first small fix into someone who understands entire layers of the platform is one of the most rewarding parts of building this project.
I really appreciate the time, thought, and persistence you put into the D1 migration and the BLT-API work. Contributions like that move the whole ecosystem forward. Thanks for sticking with it and helping push BLT further than it was before. 🚀