TLP Classification

Traffic Light Protocol (TLP) is a standardized labeling scheme for controlling information sharing. Applying a TLP classification to an SBOM communicates its distribution constraints to recipients — from unrestricted public sharing to strictly private.

TLP Levels

Level

Color

Distribution Rule

CLEAR

White/Blue

Disclosure is not limited. Can be shared publicly.

GREEN

Green

Restricted to the community. Can be shared within the community but not publicly.

AMBER

Yellow

Restricted to the organization and its clients on a need-to-know basis.

AMBER+STRICT

Orange

Restricted to the organization only. Cannot be shared with clients.

RED

Red

Not for disclosure. Restricted to named participants only.

For the full TLP specification, see FIRST.org TLP.

How Classification Cascades

TLP classification resolves through a three-level hierarchy:

Organization Default
       ↓ (inherited unless overridden)
  Project Setting
       ↓ (inherited unless overridden)
   SBOM (Version)      ← effective classification

An SBOM-level classification takes precedence over the project setting, which in turn takes precedence over the organization default. If none is set, no TLP label is applied.

This means you can:

Set a default across all new projects at the organization level.
Override for a specific product in its project settings.
Override for a specific SBOM version on the SBOM detail page.

Setting TLP Classification

On an Individual SBOM

Navigate to the Product, select the Environment, and open a Version.
Click the Details tab.
Find the TLP Classification field.
Click Add Classification (or the edit icon if one is already set).
Select a TLP level from the dropdown.
Click Save.

To remove a classification, click the trash icon next to the current label.

At the Project Level

Set a default for all SBOMs within a project environment:

Navigate to the Product and select an Environment.
Click the Settings tab.
Find the TLP Classification setting.
Select a level.
Changes apply to new SBOMs. Existing SBOMs that have an explicit classification are not affected.

At the Organization Level

Set an organization-wide default inherited by all new projects:

Navigate to Settings > Organization > Environment Defaults.
Find the TLP Classification field.
Select a level.
Click Save.

New projects inherit this default. Existing project settings are not retroactively changed unless you use the Apply to All Projects option.

TLP and SBOM Downloads

When downloading an SBOM, the TLP classification can be overridden at download time using the tlpClassificationOverride argument. This is useful when sharing SBOMs with different audiences — for example, generating a CLEAR version for public disclosure while keeping the stored copy as AMBER.

# Download with a TLP override (via GraphQL)
curl -X POST https://api.interlynk.io/lynkapi \
  -H "Authorization: Bearer $INTERLYNK_SECURITY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "mutation { sbomDownload(id: \"<sbom-id>\", tlpClassificationOverride: \"CLEAR\") { downloadUrl errors } }"
  }'

Common Questions

Does TLP affect vulnerability scanning or policy evaluation? No. TLP is a metadata label for distribution control. It does not change how the platform scans vulnerabilities, evaluates policies, or scores compliance.

Can I set TLP on archived SBOMs? Yes. The classification can be edited on any SBOM regardless of lifecycle state.

Is TLP visible in the ShareLynk view? The effective TLP classification is visible to ShareLynk recipients so they understand the distribution constraints of the SBOM they are viewing.

PreviousSBOM Doctor NextSecurity & Compliance

Last updated 20 days ago