The OWASP Core Rule Set provides guidelines for many of the aspects surrounding the project. Please explore some of these below. If you are looking to submit a security issue with the Core Rule Set please email security [ at ]

Core Rule Set Documentation

We maintain a large body of documentation about effective methods to deploy the Core Rule Set. This information is built from the Core Rule Set documentation, included with the source.

Contribution Guidelines

If you are looking for information about how to join our vibrant community of Core Rule Set developers we invite you to check out our Github repository. When you’re ready to contribute we’ve outlined some of the guidelines that we use to keep  our project managed.


OWASP Core Rule Set is an open source set of security rules licensed under Apache 2.0. Although it was originally developed for ModSecurity’s SecRules language it can be, and often has been, freely modified, reproduced, and adapted for various commercial and non-commercial endeavors. We encourage individuals and organizations to commit back to the OWASP Core Rule Set where possible.


The Core Rule Set project endeavors not to make breaking changes in minor releases (i.e. 3.0.2), instead these releases will fix bugs otherwise identified in the previous release. New functionality and breaking changes will be made in major releases (i.e. 3.1). If you are interested in seeing what has changed in recent versions of the software please see our CHANGES file.