We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections.

Create an issue on GitHub to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log.

Sign up for the CRS mailing list to ask general usage questions and participate in discussions on the CRS.

Join the #coreruleset channel in the OWASP Slack to chat with us.

If you’ve found a false negative/bypass under active exploit, please responsibly disclose the issue by sending an email to If necessary, you can send a message encrypted to our GPG key.