GSoC 2025 Recap

Wednesday, October 1, 2025

OWASP at Google Summer of Code 2025

Celebrating real impact, strong mentorship, and a growing community

The Google Summer of Code (GSoC) 2025 program has wrapped, and OWASP’s participation once again delivered meaningful improvements across the open-source security ecosystem. This year, 15 contributors worked across multiple OWASP projects, supported by 26 mentors. Of the 15 projects evaluated, 10 reached successful completion, three are still working on the final deliveries with extended deadlines, and two unfortunately not making the finish line.

Beyond code merged and features shipped, GSoC 2025 strengthened the pipeline of new contributors, future maintainers, and next-year mentors. Here’s a closer look at what we achieved together.

Program Snapshot

Contributors: 15
Mentors: 26 across the OWASP community
Project outcomes: 10 completed; 3 in progress, 2 not completed
Focus: Enhancing established tools, modernizing codebases, and exploring new AppSec directions

Project Highlights

OWASP Nest: API & Schema Development

Migrated the API toward Django Ninja, optimizing REST endpoints and paving the way for clearer schemas, better performance, and more maintainable service boundaries.

PyGoat v3: Architecture & Learning Experience Redefined

A major upgrade to OWASP PyGoat, the educational vulnerable app, focusing on modular architecture, clearer lab flows, and better secure-coding learning outcomes.

Nettacker: Recon Scan Improvements & Task Handling

Enhanced OWASP Nettacker with better reconnaissance scanning features and optimized task handling to reduce noise, improve reliability, and streamline operator feedback loops.

OWTF: MiTM Proxy Modernization

Modernized the Man-in-the-Middle proxy inside OWASP OWTF to improve stability and compatibility with evolving browser/proxy ecosystems.

OWASP OpenCRE: Gap Analysis Performance Optimization

Optimized gap analysis with improved Neo4j performance, AI-driven mappings between CREs and controls, and enhanced visualizations. Frontend upgrades for greater usability, responsiveness, and clarity.

OWASP BLT

Several impactful projects were developed to enhance open-source security, education, and contributor engagement:

Sahil Dhillon built an AI-powered GitHub assistant that helps maintainers review code, detect security vulnerabilities, and prioritize tasks using LLMs and rule-based scanning—all integrated into a GitHub bot and task management dashboard.
Krrish Sehgal extended OWASP BLT with a blockchain-backed, AI-scored gamification system to incentivize contributions like bug triaging and fixes.
Lucky Negi developed browser-based, interactive security labs for hands-on vulnerability triage and secure coding practice through gamified exercises.
Rinkita Dhana redesigned the OWASP BLT organization dashboard with real-time analytics, advanced filtering, and role-based collaboration tools to streamline team workflows and vulnerability management.

Together, these projects significantly advanced the usability, security, and educational value of the OWASP BLT ecosystem.

What Made These Projects Succeed

1. Focused Scoping & Iteration

Successful projects started with achievable milestones, then iterated toward stretch goals. Weekly demos, small PRs, and fast feedback helped contributors maintain momentum.

2. Communication Cadence

Mentors and contributors kept a regular rhythm: weekly 1:1s, short written updates, and community calls, so risks surfaced early and success was visible to the wider community.

3. Visibility & Recognition

Lightning talks, end-of-program showcases, and social posts gave contributors credit and confidence, while helping other projects discover reusable ideas.

4. Progressive Responsibility

As contributors matured, they took on triage, code reviews, or small leadership tasks.

Mentor & Org Admin Practices That Worked (and We’ll Repeat)

Set expectations early. Share onboarding docs, a “first-10-days” checklist, and communication norms before coding starts.
Require “commit early, commit often.” Small pull requests are easier to review and teach maintainers’ expectations quickly.
Pair mentorship. At least two mentors per project mitigates availability risks and reduces burnout.
Assess with real tasks. Simple environment-bring-up and “good first issue” tasks during selection predict success better than proposals alone.
Document a clear escalation path. If communication stalls, contributors know exactly how and when to reach Org Admins.

Making the Most of Community Bonding

The Community Bonding period is where retention begins. This year we emphasized:

Welcome fast. Mentors greeted accepted contributors within 24 hours, then invited them to weekly community calls.
Context first. We explained why a project matters, where it’s used, and how it helps the broader AppSec community.
Lightweight structure. A shared roster (handles, proposals, repos, blog links), a weekly meeting schedule, and a short public update cadence.
Clear expectations. “Communicate early, communicate often”, and yes, check your email for program notices and logistics.

Get Involved

Contribute: Pick an OWASP project that aligns with your skills or interests and say hello in the project’s channels.
Mentor: If you’re a maintainer or experienced contributor, consider mentoring next year.
Propose Ideas: Help shape our next GSoC by proposing scoped, contributor-friendly project ideas with clear milestones.
Contributor Fair: Join the Contributor Fair at OWASP Global AppSec US 2025 in Washington, DC this November. Details are available here.

If you’re interested in contributing or mentoring in GSoC 2026, keep an eye on OWASP community channels for timelines, idea lists, and onboarding sessions. Let’s build on the momentum of 2025 together!

Thank You

Heartfelt thanks to our contributors & mentors and the wider OWASP community. Whether you shipped a feature, reviewed code, wrote docs, or helped someone get unblock—you moved AppSec forward.

Fabio Cerullo and Starr Brown
OWASP Org Admins

Published: October 2025 ```

Watch Star