CRS is an open source project that struggles to address the issues reported by the community just like so many other open source communities. Everybody enjoys to develop new features (rules!), but grinding away at solving false positives is not necessarily a favorite past time for us.
We are falling behind with providing solutions to reported shortcomings of the rule set, we lose sight of feature requests and unfortunately there are even queries that go unanswered.
We’ve been trying to solve that problem for a long time. The situation improved when we introduced a monthly issue chat where we discuss open github issues. And truth be told, the stale bot cleaning out old issues also brought an improvement. Well obviously it did, but the bot is actually not cleaning that many issues. It’s more that the bot gives us an incentive to address the open issues before it eats them. You could say that the bot’s biggest effect is the signal that is sends when it tags an issue a few weeks before actually closing it.
As of this writing, we have 37 open issues on github and the plan is to reduce this into the mid-twenty range. This is now feasible since we started a “Dev on Duty” program last week.
Dev on Duty program
Every week, we have a paid CRS developer that is responsible to respond to issues and support questions addressing our project. Github is the most obvious channel. Yet we will also cover the OWASP Slack (channel #coreruleset) as well as the CRS mailinglist. On top, we also plan to scan Stack Overflow with keywords CoreRuleSet and Core Rule Set.
A first response is crucial. This is because once we have an issue on our radar, it’s much easier to address it. So the first response will address simple support requests with a brief answer (and close the issue). Or it will ask for additional information if that is necessary. We can assign an issue to a developer who knows the rules in question or we schedule the issue for our monthly chat where we will discuss it together.
So we’re quite enthusiastic for new Dev on Duty program. This is also because it is mile stone for the project since we are able to pay our developers for this work. This was made possible with the sponsorship of NGINX. We use a big slice of that contribution for the Dev on Duty program.