Public, no limitations
Allows open dissemination of information.
A CERT publishes on its website security recommendations for all citizens.
The Traffic Light Protocol (TLP) is an international standard defined by FIRST.org to classify the sensitivity of information and define how it can be shared.
It aims to facilitate the exchange of sensitive information (e.g. on cyber threats) in a controlled and understandable way for all recipients.
In principle and unless otherwise indicated, all information published on the RedIRIS web server is , at the bottom of this page it is indicated which other TLPs are applied by default to other RedIRIS information.
Basic Principle
The TLP uses colors (like a traffic light) to indicate the extent of distribution allowed: the lighter the color, the wider the sharing possibility.
It defines common expectations to protect sensitive information.
Official TLP levels (version 2.0)
Sectoral community
It is shared within the sector or trusted community, without making it public.
Share a cyber threat warning with all banks in the country so that they can be prepared, without publishing it openly.
Organization + customers/partners
Information can be shared within the organization and with trusted third parties who need to know.
A national CERT shares indicators of compromise (IoCs) with a bank, which can alert its affected customers.
Within the organization only
Information must be shared exclusively within the receiving organization. Disclosure to partners, affiliates and customers is not permitted.
A national CERT alerts a bank of an impending attack, but sharing the information with external customers is not allowed.
Only for the person receiving the information
The information is extremely sensitive and should not be shared even within the organization.
An investigator shares extremely sensitive details of a breach with a trusted contact and does not want it shared with anyone else.
Use in RedIRIS
In RedIRIS generally all public information without access restrictions is .
Information that is accessed in an authenticated way such as service statistics and configuration, service coordination lists, etc. are considered to have by default, although some others may have a more restrictive TLP.
Information that is shared with instititions for a security problem in the IRISCERT service, activation of mitigation systems, are considered by default . There are few cases where information will be , there may be cases where information is requested from an institution but the end user is instructed not to be contacted.
Finally, we do not contemplate using unless, for example, security problems involving only one user in an organization, whose sensitive information cannot be shown to the organization itself, are detected.
Practical Example
Scenario: RedIRIS is informed or detects an attack directed against RedIRIS institutions, a critical vulnerability that may affect several institutions, etc.
- NETWORK: Alerts only a specific contact and individually.
- AMBER: Alerts an institution, which can warn its affected users.
- AMBER+STRICT: Alerts an institution, which can only share it with its internal team, but not alert its individual users.
- GREEN: Alert all institutions to prepare, without making it public.
- CLEAR: Publish the alert on your website for all users.
Official Reference
For more information, see the official specification at https://www.first.org/tlp