Traffic Light Protocol - TLPv2
The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.
Community: Under TLP, a community is a group who share common goals, practices, and informal trust relationships. A community can be as broad as all cybersecurity practitioners in a country (or in a sector or region) or MISP community.
Organization: Under TLP, an organization is a group who share a common affiliation by formal membership and are bound by common policies set by the organization. An organization can be as broad as all members of an information sharing organization, but rarely broader.
Clients: Under TLP, clients are those people or entities that receive cybersecurity services from an organization. Clients are by default included in TLP:AMBER so that the recipients may share information further downstream in order for clients to take action to protect themselves. For teams with national responsibility this definition includes stakeholders and constituents.
TLP Color | Description | Examples | Previously known as (in version 1) |
---|---|---|---|
RED | Information exclusively and directly given to (a group of) individual recipients. Sharing outside is not legitimate | People in a meeting, direct message (1-to-1, strictly limited) | |
AMBER+STRICT | Restricts sharing to the organization only. Where AMBER in TLP version 2 includes the organization and its clients. | CERTs sending a set of very sensitive indicators to an organisation. | Not existing in version 1 |
AMBER | Information exclusively given to an organization and its clients; sharing limited within the organization and its clients to be effectively acted upon | CERTs sending indicators of compromise to an organization (1-to-group, limited). | |
GREEN | Information given to a community or a group of organizations at large. The information cannot be publicly released. | CERTs sending a specific security notification to a sector (1-to-many, limited) | |
CLEAR | Information can be shared publicly in accordance with the law | Public security advisory or notification published on the Internet (1-to-any, unlimited) | WHITE |
Chatham House Rule (CHR) in addition to TLP
At CIRCL, we extend the Traffic Light Protocol with a specific tag called Chatham House Rule (CHR). When this specific CHR tag is mentioned, the attribution (the source of information) must not be disclosed. This additional rule is at the discretion of the initial sender who can decide to apply or not the CHR tag.
As an example, Chatham House Rule can be used when a reporter of a security vulnerability don’t want to be disclosed.
Where is the Traffic Light Protocol used?
At CIRCL, we use the Traffic Light Protocol (TLP) to classify threat indicators shared in our CIRCL MISP platforms. The Traffic Light Protocol is regularly used to classify the information to be exchanged about incidents within the scope authorized by the targets.
How do you use the Traffic Light Protocol in a document?
The TLP AMBER classification can be expressed in the following way
TLP:AMBER
If you need to extend the classification with the Chatham House Rule
TLP:AMBER TLP:EX:CHR
If you have different TLP classifications in the same document, you must clearly express the classification at each line.
TLP:AMBER abcdef
TLP:GREEN zxcv
Reference
History
- 9th January 2023 - Updated version with the new version of TLP (version 2) and CIRCL extension