We strive to make the OWASP CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections.

Create an issue on GitHub to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your engine audit log. We will try and address your issue and potentially ask for additional information in order to reproduce your problem. Please also note that stale issues will be flagged and closed after 120 days. You can search for stale issues with the following search query.

Sign up for the CRS mailing list to ask general usage questions and participate in discussions on the CRS.

Join the #coreruleset channel in the OWASP Slack to chat with us.

We try to give a first response to inquiries and issues within a day or so. This happens via our “Dev on Duty” program that assigns a CRS developer to scan the aforementioned channels as well as Stack Overflow. Please note that “Dev on Duty” is financed by sponsorship of NGINX.

If you’ve found a false negative/bypass under active exploit, please responsibly disclose the issue by sending an email to If necessary, you can send a message encrypted to our GPG key.