A gamified platform for discovering and reporting bugs across websites, apps, git repositories, and more

🌐 Website • 📖 Contributing Guide • 💬 Join Slack • 🐛 Report Bug

OWASP BLT (Bug Logging Tool) is a gamified crowd-sourced QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more.

The platform helps coders and security researchers discover organizations, repositories, and projects to test and report to, making it easier to find meaningful security work and contribute to the community.

Our team has created dozens of open-source tools to assist in our main vision, including tools specific to the OWASP foundation. We embrace the AI revolution and have developed AI-powered tools and processes for efficient coding in harmony between humans and AI.

Built by the community for the community, BLT makes it easy for security researchers, developers, and organizations to collaborate on finding and fixing vulnerabilities.

• 🔍 QA Testing & Vulnerability Disclosure - Discover and report bugs across websites, apps, git repositories, and projects
• 🗺️ Discover Testing Opportunities - Find organizations, repositories, and projects to test and report to
• 🏆 Rewards & Recognition - Earn rewards, badges, and recognition for your contributions to software quality and security
• 👥 Crowd-Sourced Testing - Join a vibrant community of testers, security researchers, and developers
• 🎮 Gamification - Leaderboards, challenges, and competitions to make testing engaging and rewarding
• 💰 Staking System - Innovative blockchain-based reward system for contributors
• 🤖 AI-Powered Tools - Leverage AI for efficient coding, PR reviews, issue generation, and similarity scanning
• 📊 Comprehensive Dashboard - Track your progress, statistics, and impact across all platforms
• 🌐 Open Source Ecosystem - Dozens of open-source tools supporting our mission
• 🛡️ OWASP Project - Part of the Open Worldwide Application Security Project family

• Python 3.11.2+
• PostgreSQL
• Docker & Docker Compose (recommended)

# Clone the repository
git clone https://github.com/OWASP-BLT/BLT.git
cd BLT

# Configure environment
cp .env.example .env

# Build and start
docker-compose build
docker-compose up

Access the application at http://localhost:8000

# Install dependencies
pip install poetry
poetry shell
poetry install


#### Beginner-Friendly Non-Docker Setup (Codespaces for Windows Beginners)

Docker/virtualization issues on Windows? Use Poetry + SQLite in GitHub Codespaces (free cloud VS Code—no local compilation/virtualization problems!).

1. Create Codespace on main branch.
2. `cp .env.example .env`
3. `poetry install` (add `poetry run pip install psutil` if errors)
4. Edit `.env`:
   - `DATABASE_URL=sqlite:///db.sqlite3`
   - Add `SECRET_KEY=bengaluru2026-sharanyaa-random!@#`
   - Comment Postgres lines with `#`
   - Dummy: `OPENAI_API_KEY=dummy`
   - Keep `DEBUG=True`
5. `poetry run python manage.py migrate`
6. `poetry run python manage.py createsuperuser`
7. Run on free port: `poetry run python manage.py runserver 0.0.0.0:8001`
8. Open port 8001 in Ports tab.

Tested by complete beginner Sharanyaa from Bengaluru—app running perfectly in Codespaces on January 14, 2026! 🚀

# Set up database
python manage.py migrate
python manage.py loaddata website/fixtures/initial_data.json
python manage.py createsuperuser

# Run the server
python manage.py runserver

For detailed setup instructions, see our Contributing Guide.

Docker/virtualization issues on Windows? Use Poetry + SQLite in GitHub Codespaces (free cloud—no local problems!).

1. Create Codespace on main branch.
2. cp .env.example .env
3. poetry install (add poetry run pip install psutil if "ModuleNotFound" errors)
4. Edit .env:
   • DATABASE_URL=sqlite:///db.sqlite3
   • Add SECRET_KEY=your-random-bengaluru2026!@#
   • Comment Postgres lines with #
   • Dummy keys: OPENAI_API_KEY=dummy
   • Keep DEBUG=True
5. Optional CSRF fix in blt/settings.py: Set ALLOWED_HOSTS = ['*'] and add:

   CSRF_TRUSTED_ORIGINS = [
       'https://*.github.dev',
       'https://*.app.github.dev',
       'http://localhost:*',
   ]

We welcome contributions from everyone! Whether you're fixing bugs, adding features, improving documentation, or spreading the word, your help is appreciated.

• 📚 Read our Contributing Guide
• 🐛 Check out open issues
• 💡 Look for issues tagged with good first issue if you're new
• 🎨 Follow our coding standards (Black, isort, ruff)
• ✅ Run pre-commit before submitting changes

Our repository uses an automated leaderboard bot to recognize and gamify contributions. When you open a pull request, a leaderboard comment is automatically posted showing your monthly ranking compared to other contributors.

The leaderboard bot runs automatically on every new pull request using GitHub Actions. It:

1. Collects Monthly Statistics - Aggregates contribution data for the current month (UTC timezone)
2. Calculates Points - Awards points based on various contribution types
3. Ranks Contributors - Sorts users by total points, with tiebreakers
4. Posts Leaderboard - Comments on the PR showing the contributor's rank and nearby competitors

The leaderboard awards points based on these contribution types:

Total Score Formula:

Total = (Open PRs × 1) + (Merged PRs × 10) + (Closed PRs × -2) + (Reviews × 5) + (Comments × 2) + CodeRabbit Bonus

Contributors are sorted by:

1. Total points (highest first)
2. Number of merged PRs (tiebreaker)
3. Number of reviews (second tiebreaker)
4. Alphabetical order (final tiebreaker, case-insensitive)

Top 3 contributors receive medal emojis: 🥇 🥈 🥉

The bot tracks discussions with CodeRabbit AI to encourage thoughtful code review engagement. This feature is configurable:

Environment Variables:

• CR_DISCUSSION_MODE: How to handle CodeRabbit discussions

  • visible (default): Shows discussion count in leaderboard table
  • hidden: Counts toward points but hidden from table
  • separate: Tracked separately, not scored

• CR_DISCUSSION_POINTS: Points per counted discussion

  • Default: 0 (visible tracking only, no points)
  • Set to positive integer to award points

• CR_DISCUSSION_DAILY_CAP: Maximum discussions counted per user per UTC day

  • Default: 7
  • Prevents gaming the system through spam

Anti-Abuse Protection: Daily cap per user ensures quality over quantity in AI discussions.

The leaderboard includes several safeguards:

1. Bot Detection - Automatically excludes bot accounts (GitHub Apps, Dependabot, Copilot, etc.)
2. Open PR Limit - Auto-closes new PRs if a user has 50+ open PRs (prevents PR spam)
3. Daily Caps - Limits on CodeRabbit discussions prevent point farming
4. Review Limits - Only first two reviews per PR count (encourages reviewing different PRs)

• Workflow File: .github/workflows/leaderboard-bot.yml
• Trigger: Runs on pull_request_target when a PR is opened
• Security: Uses base repo permissions; does not check out or execute PR code
• Permissions: contents: read, pull-requests: write, issues: write
• Data Source: GitHub GraphQL API and REST API
• Timezone: All dates use UTC for consistency

To modify leaderboard behavior, edit environment variables in .github/workflows/leaderboard-bot.yml:

env:
  CR_DISCUSSION_MODE: visible    # visible | hidden | separate
  CR_DISCUSSION_POINTS: '0'      # Points per discussion
  CR_DISCUSSION_DAILY_CAP: '7'   # Daily limit per user

Your leaderboard stats are automatically posted when you open a PR. The comment shows:

• Your current rank for the month
• The user directly above you (if not #1)
• The user directly below you (if not last)
• Medal emoji if you're in the top 3
• Detailed breakdown of your points by category

The leaderboard updates monthly, with rankings reset at the start of each month (UTC).

• 🌐 Website: owaspblt.org
• 💬 Slack: Join OWASP Slack
• 🐦 Twitter: @OWASP_BLT
• 💰 Sponsor: Support the project
• 📧 Contact: Reach out through GitHub issues

This project is licensed under the AGPL-3.0 License - see the LICENSE.md file for details.

⭐ Star this repository if you find it helpful!
Made with ❤️ by the OWASP BLT Community