Contributing to the MAS Project¶
First of all, ⭐ Give us a Star in GitHub!
The MAS project is an open-source effort, and we welcome contributions and feedback that improve the quality, accuracy, and usefulness of the project.
Ways to contribute¶
Help improve the project:
- 🐞 Report an error (typos, grammar).
- 💬 Give feedback (MASTG/MASVS).
- 🙏 Ask questions (MASTG/MASVS).
Contribute content:
- 💡 Propose ideas or suggest improvements (MASTG / MASVS). Approved ideas may be promoted to issues.
- 📄 Create a Pull Request for concrete fixes addressing an existing GitHub issue, or for content that has been explicitly approved by the core team.
Before contributing, review the pages "How Can You Contribute?" and "Getting Started", as well as the following sections in this page.
IMPORTANT: Pull requests that don't comply with the following guidelines will be closed.
If anything is unclear, contact the project maintainers.
Use of AI tools in contributions¶
AI tools may be used to assist with contributions, but their use must be transparent, limited, and reviewed by the contributor.
Disclosure requirements¶
If you used AI tools to generate or substantially modify code or text, you must disclose this in the pull request template. The disclosure must include:
- The AI tools used (e.g. ChatGPT, GitHub Copilot, Claude, etc.).
- The models and versions (e.g. GPT-
, Claude , etc.). - A brief summary of the prompts or instructions.
- Your level of mobile security expertise: low, medium, high.
- IMPORTANT for first time contributors using AI tools:
- an export of the AI Chat or session (e.g. a link from ChatGPT "Share" feature or PDF as attachment) is required.
- an initial commit including the AI generated content as-is must be followed by consecutive commits where the contributor demonstrates having reviewed and edited the AI output for accuracy and quality.
Unacceptable AI usage¶
AI generated output must never be applied blindly. The following is not acceptable:
- Submitting AI generated content without verification of correctness.
- Large rewrites that replace existing material without justification or explicit prior approval from the maintainers.
- Using AI to compensate for lack of subject matter knowledge.
Technical and content expectations¶
The OWASP MAS project maintains high standards for technical quality and content accuracy.
Contributors are expected to:
- Have familiarity with git and GitHub fundamentals. Contributors must understand forks, branches, commits, and pull requests. The project does not provide training.
- Understand the topic they are contributing to. If new to mobile security, start by thoroughly studying the existing MAS content (learn about the mobile platforms, testing techniques, try to reproduce the demos yourself, etc.).
- Review existing content and relevant MAS component writing instructions before proposing changes. For example, if contributing a new test, check if a similar test already exists, read the test writing instructions and follow the established format.
- Only open a pull request after an issue has been assigned to you or after receiving explicit prior approval from the maintainers.
- Validate claims, techniques, and recommendations independently.
- Ensure contributions align with the project's goals, style, and quality standards. No spam or low-effort content is permitted, including blindly AI-generated content or content that does not add clear value.
In addition, all contributions must adhere to the following principles:
- Advertisement: The OWASP Mobile Security Project must not be used to promote commercial tools, companies, or individuals. Content should focus on free and open-source tooling. Commercial tools may only be referenced in exceptional cases.
- Unnecessary self-promotion: If you are related to a tool, link, or resource you reference, you must disclose this in the pull request.
Code of conduct and enforcement¶
All contributors must follow the Code of Conduct.
Violations of these guidelines, or of the Code of Conduct, may result in pull request closure, temporary restrictions, or permanent bans, depending on severity and repetition.
CPEs (Continuing Professional Education) and CEUs (Continuing Education Units) accreditation¶
Information security professionals holding certifications from major organizations, such as (ISC)², ISACA, and GIAC, may be eligible to claim Continuing Professional Education (CPE) credits or CompTIA Continuing Education Units (CEUs) for their active contributions to the OWASP Mobile Application Security (MAS) project.
Please refer to the respective certification body's guidelines for claiming CPEs or CEUs, as they may have specific requirements regarding the type and extent of contributions that qualify for credit. Generally, contributions such as technical writing for the MASVS, MASWE, and MASTG may be eligible for professional credits in a ratio of 1 hour of contribution to the Profession = 1 CPE/CEU.
Tool Inclusion Disclaimer for Contributors¶
OWASP MASTG encourages community contributions, including security testing tools that provide clear and practical value. However, all tool submissions are subject to review and may be rejected if they appear to be self-promotional, lack relevance, or do not meet minimum quality standards (e.g., documentation, usability, maintenance).
To be considered for inclusion, tools should be:
- Open-source or freely accessible
- Clearly documented and usable by the community
- Actively maintained, with updates tracking Android and iOS platform changes whenever applicable
Even after inclusion, tools may be removed if they become outdated, broken, unmaintained, or no longer align with the goals of the MASTG. Inclusion is not permanent and does not imply endorsement by OWASP.
When no suitable open-source alternative exists, we may include closed-source tools. However, any closed-source tools included must be free to use, as we aim to avoid featuring paid tools whenever possible. This also extends to freeware or community editions of commercial tools.
Our goal is to be vendor-neutral and serve as a trusted learning resource, which is why we've avoided the inclusion of "automated mobile application security scanners" due to the competitive challenges they pose. Instead, we focus on tools that provide full code access and comprehensive testing, as they are better suited for educational purposes. Tools that lack this transparency, even if they offer a free version, typically do not meet the OWASP MAS project's inclusion criteria.
Our Contributors¶
All of our contributors are listed in GitHub repos. See OWASP MASTG Authors & Co-Authors, MASTG Contributors and MASVS Contributors.
Update March 2023: We're creating a new concept for contributions that aligns with the new MASTG v2 workflows. Stay tuned...
OWASP MAS Project Featured Contributions¶
- Damien Clochard (Automation in GitHub Actions with pandocker)
- Loni Jacobsen (Access to Corellium)
OWASP MASVS V2¶
Coming soon...
OWASP MASTG V2¶
Coming soon...
OWASP MASVS V1¶
The latest version of the MASVS v1, including all translations, is available here: https://github.com/OWASP/masvs/releases/tag/v1.5.0
| Project Lead | Lead Author | Contributors and Reviewers |
|---|---|---|
| Sven Schleier and Carlos Holguera | Bernhard Mueller, Sven Schleier, Jeroen Willemsen and Carlos Holguera | Alexander Antukh, Mesheryakov Aleksey, Elderov Ali, Bachevsky Artem, Jeroen Beckers, Jon-Anthoney de Boer, Ben Cheney, Will Chilcutt, Stephen Corbiaux, Ratchenko Denis, Ryan Dewhurst, @empty_jack, Ben Gardiner, Manuel Delgado, Anton Glezman, Josh Grossman, Sjoerd Langkemper, Vinícius Henrique Marangoni, Martin Marsicano, Roberto Martelloni, @PierrickV, Julia Potapenko, Andrew Orobator, Mehrad Rafii, Javier Ruiz, Abhinav Sejpal, Stefaan Seys, Yogesh Sharma, Prabhant Singh, Nikhil Soni, Anant Shrivastava, Francesco Stillavato, Abdessamad Temmar, Pauchard Thomas, Lukasz Wierzbicki |
| Language | Translators & Reviewers |
|---|---|
| Brazilian Portuguese | Mateus Polastro, Humberto Junior, Rodrigo Araujo, Maurício Ariza, Fernando Galves |
| Chinese (Traditonal) | Peter Chi, Lex Chien, Henry Hu, Leo Wang |
| Chinese (Simplified) | Bob Peng, Harold Zang, Jack S |
| French | Romuald Szkudlarek, Abderrahmane Aftahi, Christian Dong (Review) |
| German | Rocco Gränitz, Sven Schleier (Review) |
| Hindi | Mukesh Sharma, Ritesh Kumar, Kunwar Atul Singh, Parag Dave, Devendra Kumar Sinha, Vikrant Shah |
| Japanese | Koki Takeyama, Riotaro Okada (Review) |
| Korean | Youngjae Jeon, Jeongwon Cho, Jiyou Han, Jiyeon Sung |
| Persian | Hamed Salimian, Ramin Atefinia, Dorna Azhirak, Bardiya Akbari, Mahsa Omidvar, Alireza Mazhari, Milad Khoshdel |
| Portuguese | Ana Filipa Mota, Fernando Nogueira, Filipa Gomes, Luis Fontes, Sónia Dias |
| Russian | Gall Maxim, Eugen Martynov, Chelnokov Vladislav, Oprya Egor, Tereshin Dmitry |
| Spanish | Martin Marsicano, Carlos Holguera |
| Turkish | Anıl Baş, Haktan Emik |
| Greek | Panagiotis Yialouris |
OWASP MASTG V1¶
The latest version of the MASTG v1 is available here: https://github.com/OWASP/mastg/releases/tag/v1.5.0
Note: This contributor table is generated based on our GitHub contribution statistics. For more information on these stats, see the GitHub Repository README. We manually update the table, so be patient if you're not listed immediately.
- Reviewers: Reviewers have consistently provided useful feedback through GitHub issues and pull request comments.
- Top Contributors: Top contributors have consistently contributed quality content and have at least 500 additions logged in the GitHub repository.
- Contributors: Contributors have contributed quality content and have at least 50 additions logged in the GitHub repository.
- Mini Contributors: Many other contributors have committed small amounts of content, such as a single word or sentence (fewer than 50 additions).
| Authors | Reviewers | Top Contributors | Contributors | Mini Contributors | Editors |
|---|---|---|---|---|---|
| Bernhard Mueller, Sven Schleier, Jeroen Willemsen, Carlos Holguera | Jeroen Beckers, Sjoerd Langkemper, Anant Shrivastava | Pawel Rzepa, Francesco Stillavato, Henry Hoggard, Andreas Happe, Kyle Benac, Paulino Calderon, Alexander Anthuk, Caleb Kinney, Abderrahmane Aftahi, Koki Takeyama, Wen Bin Kong, Abdessamad Temmar, Cláudio André, Slawomir Kosowski, Bolot Kerimbaev, Lukasz Wierzbicki | kryptoknight13, DarioI, luander, oguzhantopgul, Osipion, mpishu, pmilosev, isher-ux, thec00n, ssecteam, jay0301, magicansk, jinkunong, nick-epson, caitlinandrews, dharshin, raulsiles, righettod, karolpiateknet, mkaraoz, Sjord, bugwrangler, jasondoyle, joscandreu, yog3shsharma, ryantzj, rylyade1, shivsahni, diamonddocumentation, 51j0, AnnaSzk, hlhodges, legik, abjurato, serek8, mhelwig, locpv-ibl and ThunderSon. | jonasw234, zehuanli, jadeboer, Isopach, prabhant, jhscheer, meetinthemiddle-be, bet4it, aslamanver, juan-dambra, OWASP-Seoul, hduarte, TommyJ1994, forced-request, D00gs, vasconcedu, mehradn7, whoot, LucasParsy, DotDotSlashRepo, enovella, ionis111, vishalsodani, chame1eon, allRiceOnMe, crazykid95, Ralireza, Chan9390, tamariz-boop, abhaynayar, camgaertner, EhsanMashhadi, fujiokayu, decidedlygray, Ali-Yazdani, Fi5t, MatthiasGabriel, colman-mbuya and anyashka | Heaven Hodges, Caitlin Andrews, Nick Epson, Anita Diamond, Anna Szkudlarek |
OWASP MASTG Beta¶
OWASP MSTG "Beta 2" (Google Doc)¶
| Authors | Reviewers | Top Contributors |
|---|---|---|
| Milan Singh Thakur, Abhinav Sejpal, Blessen Thomas, Dennis Titze, Davide Cioccia, Pragati Singh, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Mirza Ali, Rahil Parikh, Anant Shrivastava, Stephen Corbiaux, Ryan Dewhurst, Anto Joseph, Bao Lee, Shiv Patel, Nutan Kumar Panda, Julian Schütte, Stephanie Vanroelen, Bernard Wagner, Gerhard Wagner, Javier Dominguez | Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur | Jim Manico, Paco Hope, Pragati Singh, Yair Amit, Amin Lalji |
OWASP MSTG "Beta 1" (Google Doc)¶
| Authors | Reviewers | Top Contributors |
|---|---|---|
| Milan Singh Thakur, Abhinav Sejpal, Pragati Singh, Mohammad Hamed Dadpour, David Fern, Mirza Ali, Rahil Parikh | Andrew Muller, Jonathan Carter | Jim Manico, Paco Hope, Yair Amit, Amin Lalji |