For a long time, open source was something I knew about but never truly touched.
You know how it goes.
You see GitHub repositories with thousands of stars, dozens of contributors, complex folders everywhere… and your brain quietly says:
Maybe later
Later can last a very long time.
For me, it lasted until recently when I made my first ever PR in OWASP.
It was actually a pretty small one. I changed a few things in BLT Monitor.
But it counted. And this is that story.
My Background
I'm Shubhang, currently pursuing my Master of Computer Applications from Pune. My recent work involves building automation workflows and full stack systems using Python, LangChain, FastAPI, and React.
I built things. Learned things. Broke things. The usual.
But there was always this quiet awareness in the back of my head that everything I was building lived in my own little bubble. My repos. My ideas. My comfort zone.
Open source kept appearing on the edges of that bubble.
But honestly? Large repositories are intimidating. Hundreds of files. Active contributors. CI pipelines running everywhere. Automated bots reviewing your code before any human even looks at it.
My brain did what most beginners "tried to avoid it".
The GSoC Rabbit Hole That Led Me Here
At some point, "maybe later" ran out.
I started reading about GSoC (Google Summer of Code) and quickly discovered that the actual advice wasn't "be a genius." It was quieter than that. Almost every blog said the same thing:
Start small. Understand the project. Show up consistently.
So I started reading GSoC write-ups from previous years. Dozens of them.
And somewhere in that reading, OWASP started appearing more than others to me because right now i was exploring mcp servers and I found out their repo for BLT-MCP.
I already knew about the OWASP Top 10: security basics, web vulnerabilities, the kind of stuff that shows up in every security conversation. That familiarity made OWASP feel like something I could at least understand the purpose of, even if I didn't yet understand the codebase.
That's how I found OWASP BLT.
First Look at BLT
My first instinct when I found the BLT repository was not to immediately open an issue and start typing.
I cloned it. Read through it. Looked at merged PRs. Read through open issues.
I was basically doing what I now recognize as orienting building a mental map before moving.
This is something I'd genuinely recommend to anyone starting out.
You don't need to understand everything. You just need to understand enough to take a first step without completely breaking something important.
My Contributions
Here's where I'm going to be real with you, because the dev.to ecosystem has enough success polished stories.
I didn't do a lot. And most of what I tried didn't land perfectly.
My first attempts? didn't get merged.
But I kept going.
Eventually, I got a small UI fix merged on BLT Monitor.
Small. Clean. Accepted.
And I cannot fully explain why that felt significant, but it did.
Something shifts when a maintainer reviews your work and says yes, this belongs here. Even if it's one line. Even if you spent three times longer on it than you expected to.
The PRs Still Waiting
Here's what else I'll be transparent about: every PR you open might not get merged.
I also opened a PR around integrating the OWASP MCP into the GitHub MCP ecosystem. It's still pending. Hasn't been merged yet right now. And that's okay.
That's a lesson too.
Learning to sit with a pending PR without spiraling is its own kind of skill that nobody really prepares you for. Lol.
What Open Source Actually Taught Me That Projects Don't
Working solo teaches you to ship.
Open source teaches you something different.
It teaches you that "communication is code". A confusing PR description is as much a problem as a confusing function. Writing clearly describing what you changed, why you changed it, what someone reviewing it should and it's one I'm still building.
But honestly? What surprised me most wasn't the code. It was the people.
OWASP BLT has a culture where you can ask questions without feeling like you're bothering someone. And I mean that genuinely not in a "they have a contributing guide" kind of way, but in a "you actually feel welcome" kind of way.
Everyone in the organization is super friendly and helpful, which made communicating so much easier than I expected.
When I needed help or I had questions, Maintainer replied and community members showed up and guided me. Just like that.
That doesn't happen by accident. It's built deliberately by the maintainers and by every person who shows up and keeps the culture intact. It completely changes how fast you grow when you're learning something new.
Working in a community taught me something that no solo project ever could. It's a different experience entirely. A better one.
Where I Am Right Now
Honestly?
Still exploring. Still learning.
I'm not going to dress that up as a dramatic arc.
But I'm also someone who went from "open source is intimidating, maybe later" to someone who has code sitting inside an OWASP project. Small as it may be.
That's not nothing.
And if you're somewhere at the beginning of this same journey feeling slightly lost, slightly intimidated, unsure if your contribution is even worth opening a PR for just know that every person in that repo started exactly where you are right now.
The entry point is almost never impressive.
It just has to be a start.
Top comments (0)