Traffic Light Protocol (TLP-SIG)

Mission

TLP, originally developed to encourage information sharing with and among public and private sector security professionals in the United Kingdom, has achieved widespread adoption around the globe. In regular use by all types of CSIRTs, PSIRTs, operational trust communities, information sharing analysis organizations, government agencies, and private researchers, TLP has achieved "de facto" international standard status. The FIRST community, in consultation with other security information sharing communities, established a Standards SIG for TLP to ensure that interpretations are consistent and that TLP is leveraged appropriately and with clear expectations by all.

The FIRST TLP SIG governs the definition of TLP for the benefit of the worldwide security incident response community and its partners. The TLP SIG members standardize, translate and, as necessary, evolve the TLP in an independent, fair and transparent fashion.

Goals & Deliverables

At the 28th Annual Conference and AGM in Seoul, June 2016, the TLP SIG produced the initial draft of a common, standardized set of definitions for all Traffic Light Protocol colors in English along with clear usage guidance explaining how, when and where TLP should be used to be most effective. This draft was presented to the FIRST Board during the conference to be considered for publication as FIRST standard and hosted on the public FIRST.org website as a reference.

Beginning in 2020, the TLP-SIG began working on an update to the FIRST TLP. This update, which became TLP Version 2.0, followed the FIRST Standards Policy and was circulated for comments throughout the FIRST community and various other communities worldwide that have adopted TLP. TLP Version 2.0 was published following the 34th Annual FIRST Conference in Dublin, June 2022 - and has replaced the old version as of 1 January 2023. A panel presentation discussing the changes and process of updating TLP can be seen on FIRST's YouTube channel.

A growing number of language translations are becoming available - e-mail to tlp-sig@first.org for guidance, if you want to translate TLP into your own language.

The TLP-SIG is currently working on developing detailed use cases for TLP to serve as an appendix to the standard, as well as learning materials.

Visit the Traffic Light Protocol Definitions and Usage Guidance at www.first.org/tlp.

Chair

• Tom Millar, CISA
• Don Stikvoort, Open CSIRT Foundation

Request to Join

• Initiatives
  • Special Interest Groups (SIGs)
    • SIGs Framework
    • Academic Security SIG
    • AI Security SIG
    • Automation SIG
    • Cybersecurity Communications SIG
    • Common Vulnerability Scoring System (CVSS-SIG)
      • Calculator
      • Specification Document
      • User Guide
      • Examples
      • Frequently Asked Questions
      • CVSS v4.0 Documentation & Resources
        • CVSS v4.0 Calculator
        • CVSS v4.0 Specification Document
        • CVSS v4.0 User Guide
        • CVSS v4.0 Examples
        • CVSS v4.0 FAQ
      • CVSS v3.1 Archive
        • CVSS v3.1 Calculator
        • CVSS v3.1 Specification Document
        • CVSS v3.1 User Guide
        • CVSS v3.1 Examples
        • CVSS v3.1 Calculator Use & Design
      • CVSS v3.0 Archive
        • CVSS v3.0 Calculator
        • CVSS v3.0 Specification Document
        • CVSS v3.0 User Guide
        • CVSS v3.0 Examples
        • CVSS v3.0 Calculator Use & Design
      • CVSS v2 Archive
        • CVSS v2 Complete Documentation
        • CVSS v2 History
        • CVSS-SIG team
        • SIG Meetings
        • Frequently Asked Questions
        • CVSS Adopters
        • CVSS Links
      • CVSS v1 Archive
        • Introduction to CVSS
        • Frequently Asked Questions
        • Complete CVSS v1 Guide
      • JSON & XML Data Representations
      • CVSS On-Line Training Course
      • Identity & logo usage
    • CSIRT Framework Development SIG
    • Cyber Insurance SIG
      • Cyber Insurance SIG Webinars
    • Cyber Threat Intelligence SIG
      • Curriculum
        • Introduction
        • Introduction to CTI as a General topic
        • Methods and Methodology
        • Priority Intelligence Requirement (PIR)
        • Source Evaluation and Information Reliability
        • Machine and Human Analysis Techniques (and Intelligence Cycle)
        • Threat Modelling
        • Training
        • Standards
        • Glossary
        • Communicating Uncertainties in CTI Reporting
      • Webinars and Online Training
      • Building a CTI program and team
        • Program maturity stages
          • CTI Maturity model - Stage 1
          • CTI Maturity model - Stage 2
          • CTI Maturity model - Stage 3
        • Program Starter Kit
        • Resources and supporting materials
    • Detection Engineering & Threat Hunting SIG
    • Digital Safety SIG
    • DNS Abuse SIG
      • Stakeholder Advice
        • Detection
          • Cache Poisoning
          • Creation of Malicious Subdomains Under Dynamic DNS Providers
          • DGA Domains
          • DNS As a Vector for DoS
          • DNS Beacons - C2 Communication
          • DNS Rebinding
          • DNS Server Compromise
          • DNS Tunneling
          • DoS Against the DNS
          • Domain Name Compromise
          • Dynamic DNS (as obfuscation technique)
          • Fast Flux (as obfuscation technique)
          • Infiltration and exfiltration via the DNS
          • Lame Delegations
          • Local Resolver Hijacking
          • Malicious registration of (effective) second level domains
          • On-path DNS Attack
          • Stub Resolver Hijacking
      • Code of Conduct & Other Policies
      • Examples of DNS Abuse
    • Ethics SIG
      • Ethics for Incident Response Teams
    • Exploit Prediction Scoring System (EPSS)
      • The EPSS Model
      • Data and Statistics
      • User Guide
      • EPSS Research and Presentations
      • Frequently Asked Questions
      • Who is using EPSS?
      • Open-source EPSS Tools
      • API
      • Related Exploit Research
      • Blog
        • Understanding EPSS Probabilities and Percentiles
        • Log4Shell Use Case
        • Estimating CVSS v3 Scores for 100,000 Older Vulnerabilities
      • Data Partners
    • FIRST Multi-Stakeholder Ransomware SIG
    • Human Factors in Security SIG
    • Industrial Control Systems SIG (ICS-SIG)
    • Information Exchange Policy SIG (IEP-SIG)
    • Information Sharing SIG
      • Malware Information Sharing Platform
    • Law Enforcement SIG
    • Malware Analysis SIG
      • Malware Analysis Framework
      • Malware Analysis Tools
    • Metrics SIG
      • Metrics SIG Webinars
    • NETSEC SIG
    • Public Policy SIG
    • PSIRT SIG
    • Red Team SIG
    • Security Lounge SIG
    • Security Operations Center SIG
    • Threat Intel Coalition SIG
      • Membership Requirements and Veto Rules
    • Traffic Light Protocol (TLP-SIG)
    • Transportation and Mobility SIG
    • Vulnerability Coordination
      • Multi-Party Vulnerability Coordination and Disclosure
      • Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure
    • Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
      • Vulnerability Database Catalog
    • Women of FIRST
  • CCB Initiatives
  • FIRST CORE
    • Sponsorship Opportunities
  • Internet Governance
  • IR Database
  • Fellowship Program
    • Application Form
  • Mentorship Program
  • IR Hall of Fame
    • Hall of Fame Inductees
  • Victim Notification
  • Volunteers at FIRST
    • FIRST Volunteers
  • Previous Activities
    • Best Practices Contest