Traffic Light Protocol - TLP
The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.
|RED||Information exclusively and directly given to (a group of) individual recipients. Sharing outside is not legitimate||People in a meeting, direct message (1-to-1, strictly limited)|
|AMBER||Information exclusively given to an organization; sharing limited within the organization to be effectively acted upon||CERTs sending indicators of compromise to an organization (1-to-group, limited)|
|GREEN||Information given to a community or a group of organizations at large. The information cannot be publicly released.||CERTs sending a specific security notification to a sector (1-to-many, limited)|
|WHITE||Information can be shared publicly in accordance with the law||Public security advisory or notification published on the Internet (1-to-any, unlimited)|
Chatham House Rule (CHR) in addition to TLP
At CIRCL, we extend the Traffic Light Protocol with a specific tag called Chatham House Rule (CHR). When this specific CHR tag is mentioned, the attribution (the source of information) must not be disclosed. This additional rule is at the discretion of the initial sender who can decide to apply or not the CHR tag.
As an example, Chatham House Rule can be used when a reporter of a security vulnerability don’t want to be disclosed.
Where is the Traffic Light Protocol used?
At CIRCL, we use the Traffic Light Protocol (TLP) to classify threat indicators shared in our CIRCL MISP platforms. The Traffic Light Protocol is regularly used to classify the information to be exchanged about incidents within the scope authorized by the targets.
How do you use the Traffic Light Protocol in a document?
The TLP AMBER classification can be expressed in the following way
If you need to extend the classification with the Chatham House Rule
If you have different TLP classifications in the same document, you must clearly express the classification at each line.
TLP:AMBER abcdef TLP:GREEN zxcv