Skip to main content

Getting Started

What is Faultlean?

Faultlean is an issue management platform for coordinated vulnerability disclosure. Organizations use it to receive, triage, and track security vulnerability reports from researchers (reporters). Reporters use it to submit findings and follow their progress.

Roles

Faultlean has two personas you can switch between at any time:

Organization Member — you belong to an organization and can view, review, and manage incoming reports. Within an organization, members have one of three roles:

  • Owner — full access, including integration settings and member management.
  • Admin — can manage members, review reports, and configure most settings.
  • Member — can view and review reports.

Reporter — you submit vulnerability reports to organizations that have invited you. You can track the status of your reports and communicate with the organization through messages.

Submitting a Report

As a reporter, click "New Report" from your dashboard. Select the organization (if you report to more than one), provide a title, description, reproduction steps, and optionally impact and severity. You can attach files and embed images inline using Markdown.

Each report gets a tracking ID that you assign, so you can cross-reference it with your own records.

Reviewing a Report

As an organization member, open a report and click "Create Review." A review captures whether the issue was verified, its severity, whether it has been fixed, and classification flags (PII, PHI, access control, etc.). You can create multiple reviews as the situation evolves.

Publishing

If your organization has integrations configured (Linear, Slack), you can publish a report to create an issue in your tracker and post a notification to your messaging channel. The full report content — description, reproduction steps, reviews, and messages — is included.

After publishing, the report page shows the current triage status from the issue tracker.

Messages

Both reporters and organization members can post messages on a report. Organization members can mark messages as internal (visible only to other org members).

Security

Faultlean supports two-factor authentication (TOTP) and passkeys (WebAuthn). Organizations can require 2FA for all members.