Traffic Light Protocol (TLP) - Classification and Sharing of Sensitive Information

Traffic Light Protocol (TLP) - Classification and Sharing of Sensitive Information

Back to Publications and Presentations

  1. Traffic Light Protocol - TLP
  2. Chatham House Rule (CHR) in addition to TLP
  3. Where is the Traffic Light Protocol used?
  4. How do you use the Traffic Light Protocol in a document?

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is FIRST member

Traffic Light Protocol - TLP

The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.

TLP Color Description Examples
RED Information exclusively and directly given to (a group of) individual recipients. Sharing outside is not legitimate People in a meeting, direct message (1-to-1, strictly limited)
AMBER Information exclusively given to an organization; sharing limited within the organization to be effectively acted upon CERTs sending indicators of compromise to an organization (1-to-group, limited)
GREEN Information given to a community or a group of organizations at large. The information cannot be publicly released. CERTs sending a specific security notification to a sector (1-to-many, limited)
WHITE Information can be shared publicly in accordance with the law Public security advisory or notification published on the Internet (1-to-any, unlimited)

Chatham House Rule (CHR) in addition to TLP

At CIRCL, we extend the Traffic Light Protocol with a specific tag called Chatham House Rule (CHR). When this specific CHR tag is mentioned, the attribution (the source of information) must not be disclosed. This additional rule is at the discretion of the initial sender who can decide to apply or not the CHR tag.

As an example, Chatham House Rule can be used when a reporter of a security vulnerability don’t want to be disclosed.

Where is the Traffic Light Protocol used?

At CIRCL, we use the Traffic Light Protocol (TLP) to classify threat indicators shared in our CIRCL MISP platforms. The Traffic Light Protocol is regularly used to classify the information to be exchanged about incidents within the scope authorized by the targets.

How do you use the Traffic Light Protocol in a document?

The TLP AMBER classification can be expressed in the following way

TLP:AMBER

If you need to extend the classification with the Chatham House Rule

TLP:AMBER TLP:EX:CHR

If you have different TLP classifications in the same document, you must clearly express the classification at each line.

TLP:AMBER abcdef
TLP:GREEN zxcv