GSoC 2025 Ideas

Bug Logging Tool (BLT) • DevSecOps Maturity Model • OWASP Nettacker • OWASP Nest • OWASP Juice Shop • OWASP Website • Pygoat

Tips to get you started in no particular order:

• Read the Student Guidelines.
• Check our GitHub organization.
• Contact one of the project mentors below.

List of Project Ideas

Bug Logging Tool (BLT)

OWASP BLT is a bug-hunting & logging platform that enables users to hunt for vulnerabilities, participate in bug bounties, and contribute to open-source security. Organizations can leverage BLT to manage vulnerability reports, track security issues, and engage with ethical hackers.

BLT is a large-scale project with a growing ecosystem, offering full-stack development, security automation, AI-powered analysis, and blockchain-based incentives. This year’s GSoC projects focus on UI/UX improvements, API development, automation, and gamification to enhance the platform’s usability and impact.

Preference will be given to students who have at least 5 merged PRs before GSoC selection.

---

🔹 2025 GSoC Ideas / Large Projects

🔸 Modern UI/UX Overhaul & Lightweight Front-End in React (~350h)

A complete redesign of BLT’s interface, improving accessibility, usability, and aesthetics. The new front-end will be built with React and Tailwind CSS, ensuring high performance while maintaining a lightweight architecture under 100MB. Dark mode will be the default, with full responsiveness and an enhanced user experience.

🔸 Organization Dashboard – Enhanced Vulnerability & Bug Management (~350h)

Redesign and expand the organization dashboard to provide seamless management of bug bounties, security reports, and contributor metrics. Features will include advanced filtering, real-time analytics, and improved collaboration tools for security teams.

🔸 Secure API Development & Migration to Django Ninja (~350h)

Migrate our existing and develop a secure, well-documented API with automated security tests to support the new front-end. This may involve migrating from Django Rest Framework to Django Ninja for improved performance, maintainability, and API efficiency.

🔸 Gamification & Blockchain Rewards System (Ordinals & Solana) (~350h)

Introduce GitHub-integrated contribution tracking that rewards security researchers with Bitcoin Ordinals and Solana-based incentives. This will integrate with other parts of the website as well such as daily check-ins and code quality. Gamification elements such as badges, leaderboards, and contribution tiers will encourage engagement and collaboration in open-source security.

🔸 Decentralized Bidding System for Issues (Bitcoin Cash Integration) (~350h)

Create a decentralized system where developers can bid on GitHub issues using Bitcoin Cash, ensuring direct transactions between contributors and project owners without BLT handling funds.

🔸 AI-Powered Code Review & Smart Prioritization System for Maintainers (~350h)

Develop an AI-driven GitHub assistant that analyzes pull requests, detects security vulnerabilities, and provides real-time suggestions for improving code quality. A smart prioritization system will help maintainers rank issues based on urgency, community impact, and dependencies.

🔸 Enhanced Slack Bot for Real-Time Security Alerts & Automation (~175h)

Expand the BLT Slack bot to automate vulnerability tracking, send real-time alerts for new issues, and integrate GitHub notifications and contributor activity updates for teams.

🔗 More projects & discussions: BLT Milestones

---

✅ Expected Results

• Successfully implementing a fully functional, production-ready feature.
• Contributions must align with BLT’s core security and performance goals.
• Code should adhere to best practices, including security testing, CI/CD integration, and documentation.

---

📌 Knowledge Prerequisites

To contribute effectively, familiarity with at least one or more of the following is recommended:

• Back-End: Python, Django, Django Ninja, SQL
• Front-End: React, Next.js, Tailwind CSS, HTML/CSS
• Blockchain: Bitcoin Ordinals, Solana, Smart Contracts
• AI/ML: NLP, Machine Learning for security analytics
• DevOps & Security: GitHub API, REST API, OAuth, Authentication

---

👥 Mentors

We are actively looking for more mentors! If you have experience in Django, React, Blockchain, or AI, we’d love to have you onboard.

📌 Confirmed Mentors:

• Donnie (@DonnieBLT on Slack)
• Yash Pandey
• Bishal Das
• Ahmed ElSheikh
• Patricia Waiyego
• Looking for 5 more mentors!

🎥 To get up to speed, check out our BLT videos.

👥 Pre-Selected Students

For transparency, we are implementing a pre-selection process for students this year. This demonstrates our commitment to working students who are contunually contributing while also signaling our intent to other projects and organizations. However, pre-selection does not guarantee a final placement or acceptance.

• Krrish Sehgal 32 PRs
• Sahil Omkumar Dhillon 28 PRs
• Krishna Kaushal 29 PRs
• Apoorva Pendse 10 PRs
• Dhruv Trivedi 11 PRs
• Nitin Awari 6 PRs
• Student 7
• Student 8
• Student 9
• Student 10

OWASP DevSecOps Maturity Model

Join us in enhancing the DSOMM, a pivotal tool designed to improve the security and operational efficiency of software development processes. We are looking for passionate students to contribute to two major areas: our main application development in JavaScript and our metric analyzer and collector in Java. Whether you are looking to tackle medium-sized challenges or are ready to embark on a larger project, we have exciting opportunities for you.

To receive early feedback please:

• put your proposal on Google Docs and submit it to the OWASP Organization on Google’s GSoC page in “Draft Shared” mode.
• Please pick “dsomm” as Proposal Tag to make them easier to find for us. Thank you!

Medium Feature Pack for the DSOMM Main Application (JS)

This pack includes tasks that are crucial for enhancing the user experience and functionality of the DSOMM main application. Contributors will address existing issues and add new features:

• Implement a State or Tag for “Not yet assessed”, addressing Issue #241
• Enhance the Excel download feature in “Mapping” by adding assessment information, as discussed in Issue #244
• Refine the handling of subcategories to streamline the organization and presentation of maturity model elements, making the tool more intuitive. See Issue #194
• Introduce the Adding of Diagrams feature to enhance the visualization of DevSecOps processes and maturity levels, as outlined in Issue #183
• Your Idea: Proposals that innovate or enhance the metric collection and analysis process are highly encouraged.

Large Feature Pack for the metric Analyzer and Collector (Java)

This pack challenges students to develop the entire workflow from data collection to visualization for DSOMM metrics, including the implementation of a Kafka queue. Projects include:

• Design and implement a collector for OWASP DefectDojo, fetching Mean Time to Resolve (MTTR) and Mean Time to Patch (MTTP) via the defectdjo-client which fetches MTTR/MTTP)
• Develop a collector for Jira, to retrieve information about security tasks.
• Create a collector for Jenkins and Kubernetes, aimed at measuring deployment frequency by team, a key metric in DevOps performance.
• Engineer a collector for GitHub and Bitbucket, to calculate MTTP by tracking pull request opening and merge dates. In addition, check that branch protection is enabled and a .gitignore exists in the root file system.
• Engineer a collector for gitleaks, fetching Mean Time to Resolve (MTTR) and Mean Time to Patch (MTTP)
• Your Idea: Proposals that innovate or enhance the metric collection and analysis process are highly encouraged.

Please take a look at the architecture digram of DSOMM metricCA. The whole way from the collector to grafana needs to be implemented. Please note that a queue Kafka and Prometheus is currently not implemented and needs to be implemented in the collector and in the metricAnalyzer.

For Backstage, Jira and Confluence a defined format and tags might be used to identify the corresponding team and type of document (e.g. threat modeling/pentest).

Prerequisites

• Proficiency in the corresponding programming language (JavaScript for the main application, Java for the metric analyzer and collector)
• Previous contributions to open-source projects are highly desirable, demonstrating your commitment and collaborative skills

Mentors

Reach out to us on Slack to discuss these and other ideas!

• Timo Pagel
• Aryan Prasad

OWASP Nettacker

OWASP Nettacker is a Modular Automated Penetration Testing/ Information gathering Framework and Vulnerability Scanner fully written in Python. Nettacker can run a variety of scans discovering subdomains, open ports, services, vulnerabilities, misconfigurations, default credentials.

Explanation of Ideas

• fix scan engine multi-threading/queuing issues
• improve WebUI / add dashboard
• add DefectDojo integration / output report format
• add SARIF output report format
• implement testing framework, get 70% code coverage level

Getting Started

Repositories:

• OWASP Nettacker on OWASP GitHub
• Join OWASP Slack and contact us on channel #project-nettacker

Knowldege Requirements

• Python
• Flask
• HTML/CSS/JavaScript
• previous vulnerability scanning/bug bounty hunting experience

Mentors

• Sam Stepanyan
• Ali Razmjoo
• Arkadii Yakovets

OWASP Nest

OWASP Nest is a comprehensive platform designed to enhance collaboration and contribution within the OWASP community. The application serves as a central hub for exploring OWASP projects and ways to contribute to them, empowering contributors to find opportunities that align with their interests and expertise. Our mission is to drive real-world collaboration and elevate the OWASP organization by addressing key challenges and streamlining processes.

Repository

• backend
• frontend
• schema

Technical Stack

• Python, Django, Pytest
• TypeScript, React, Jest
• Chakra UI, Tailwind CSS
• PostgreSQL, Algolia
• Docker, k8s, AWS

Projects / Ideas

• OWASP Contribution Hub: Aiming to streamline the onboarding process and connect contributors with mentors and impactful projects. This milestone focuses on improving collaboration within the OWASP community.
• OWASP Nest API: The development of REST and GraphQL API endpoints for OWASP Projects, Chapters, Events, and Committees. This milestone will standardize data access across OWASP’s resources.
• OWASP Nest Kubernetes Adoption: This milestone focuses on migrating the OWASP Nest application to Kubernetes, ensuring scalability, reliability, and ease of deployment.
• OWASP NestBot AI agent/assistant: Develop an AI-powered OWASP NestBot Slack assistant that acts as an auto-responder for frequently asked questions, guides users to the appropriate OWASP channels, and handles typical OWASP community queries.
• OWASP Project Health Dashboard: A dashboard for monitoring the health of OWASP projects. This includes tracking vital metrics such as release frequency, issue resolution, and contributor growth.
• OWASP Schema: Developing and extending a standardized schema for OWASP Projects and Chapters. This milestone aims to ensure consistency and ease of integration across OWASP resources.
• OWASP Snapshots: Creating a summary of activities within OWASP projects, chapters, and events, including new blog posts and news, to keep the community informed about recent developments.

Please visit our planned milestones page or gsoc2025 labeled issues page.

Your own ideas

Do you have an idea to improve OWASP Nest? We’d love to hear it, please reach out in Slack to ensure that the idea fits OWASP Nest goals.

Expected Results

• Your proposal projects/ideas are fully completed.
• Your code follows our existing style guides and passes quality checks, test coverage, etc.

Getting Started

• Check out our contributing guidelines
• Join OWASP Nest channel #project-nest
• Consider good first issue (if there are any) from OWASP Nest issues page

Mentors

• Arkadii Yakovets (arkid15r on Slack)
• Kateryna Golovanova (Kate on Slack)
• Tamara Lazerka (Tamara on Slack)

OWASP Juice Shop

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

To receive early feedback please:

• put your proposal on Google Docs and submit it to the OWASP Organization on Google’s GSoC page in “Draft Shared” mode.
• Please pick “juice shop” as Proposal Tag to make them easier to find for us. Thank you!

Explanation of Ideas

MultiJuicer as a CTF Platform

MultiJuicer saw some enhancements of its Team Score Board last year. It now is not that far away from being a full-fledged CTF platform of its own. This project should focus on the remaining features needed to make MultiJuicer a fully functional CTF platform. This should include making the Team Score Board visually attractive, flavorfully unique and more competition-oriented. The existing Solution Webhook integration already marks solved challenges automatically, but other information like team cheat score, progress over time etc. are not tracked or displayed today. The MultiJuicer CTF should offer the same features as the Juice Shop CTF tool in order to configure the availability of hints. This should include a way to allow teams to pay for hints with some of their collected points. To avoid issues with bigger teams hacking on the same instance of Juice Shop, a team grouping mechanism could be considered as well. The progress on the CTF Score Board could then be aggregated on group level for different teams/instances.

Test suite harmonization

Juice Shop had a full replacement of its end-to-end test suite - from Protractor to Cypress - in its GSoC 2022 project. Now it is time to take on the remainin test suites, especially the Integration/API tests currently running on Frisby.js. That library as not seen updates in 2+ years and it became more and more flaky over the years, causing occasional CI/CD failures and time-consuming retry-mechanisms to keep those in check. A new foundation for these tests is needed. In scope is also to look at the frontend and backend unit test suites, and find a way to reduce the number of test frameworks being used in order to achieve higher consistency and less complexity for maintenance of the project. This project should include the test suites in the Juice Shop CTF tool as well. Proposals that also have the augmentation of MultiJuicer with end-to-end tests in scope, are specially welcome.

Juice Shop side-project rennovation

The Juice Shop CTF Tool is currently implemented in vanilla JavaScript. It should be migrated to TypeScript for consistency of maintenance with the main project. Furthermore, the code linting should be adapted to the main Juice Shop ESLint standards. Test coverage and relevance should be reviewed and strengthened where necessary.

Similarly, the following other sub-projects should be rennovated and brought onto an identical tech stack: Juicy Statistics, Juicy Coupon Bot, Juicy Chat Bot, and Juicy Coupon Lambda.

Your own idea

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

Expected Results

• A new feature or improvement of an existing one that makes OWASP Juice Shop even better
• Your code follows our existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.
• Code that you write comes with automated tests that fit into our available test suites.

Getting started

• Make sure your JavaScript/TypeScript is sufficient to work on the Juice Shop codebase. Check our Codebase 101 here. Students with some experience with (or willingness to learn) Angular and Node.js/Express are usually prefered.
• Read our Contribution Guidelines very carefully. Best make some small contributions before GSoC, so we can see how you work and help you dive into the code even better.
• Get in touch via Slack or email (see below) to discuss any of the listed or your own idea for GSoC!

Mentors

• Bjoern Kimminich - OWASP Juice Shop Project Leader (bkimminich on Slack)
• Jannik Hollenbach - OWASP Juice Shop Project Leader (Jannik on Slack)

OWASP Website

This project for Google Summer of Code (GSoC) aims to enhance the OWASP website by improving its mobile responsiveness, updating its styling, and refining navigation for a more modern and user-friendly experience. Key objectives include revamping the project’s and chapter’s discovery features to make them more intuitive and accessible, creating comprehensive “Getting Started” pages to guide new users, and streamlining the site’s overall structure to ensure it is well-organized and easy to maintain. The project will focus on delivering a clean, cohesive design that aligns with current web standards, improving accessibility and usability across all devices.

knowledge required

Jekyl

Mentors

DonnieBLT on Slack (looking for more mentors, signup here)

PyGoat

PyGoat is an open-source, intentionally vulnerable Python web application designed to help developers and security enthusiasts learn about web application security. It provides hands-on experience in identifying and mitigating common security vulnerabilities, making it a valuable resource for practicing secure coding and penetration testing techniques.

Repository

• PyGoat

Skills Required

• HTML/CSS/JavaScript
• Python
• Django
• Docker
• Basic knowledge of application security

Getting started

• CheckGitHub project and Website.
• Join OWASP Slack and contact us on channel #project-pygoat

Projects / Ideas

• Refactor the webapp, move away vulnarable labs from the main website.
• Deploy a microservice architecture based approch for the labs.
• Add new labs to the project.
• Improvment of interactive playgrounds.
• Extend labs to other languages as well.
• Prepare for OWASP Top 10:2025 section

Mentors

• ardiansyah
• Rupak Biswas(Rupak on slack)