# TLP Classification Traffic Light Protocol (TLP) is a standardized labeling scheme for controlling information sharing. Applying a TLP classification to an SBOM communicates its distribution constraints to recipients — from unrestricted public sharing to strictly private. *** ## TLP Levels | Level | Color | Distribution Rule | | ---------------- | ---------- | --------------------------------------------------------------------------------- | | **CLEAR** | White/Blue | Disclosure is not limited. Can be shared publicly. | | **GREEN** | Green | Restricted to the community. Can be shared within the community but not publicly. | | **AMBER** | Yellow | Restricted to the organization and its clients on a need-to-know basis. | | **AMBER+STRICT** | Orange | Restricted to the organization only. Cannot be shared with clients. | | **RED** | Red | Not for disclosure. Restricted to named participants only. | For the full TLP specification, see [FIRST.org TLP](https://www.first.org/tlp/). *** ## How Classification Cascades TLP classification resolves through a three-level hierarchy: ``` Organization Default ↓ (inherited unless overridden) Project Setting ↓ (inherited unless overridden) SBOM (Version) ← effective classification ``` An SBOM-level classification takes precedence over the project setting, which in turn takes precedence over the organization default. If none is set, no TLP label is applied. This means you can: * Set a default across all new projects at the organization level. * Override for a specific product in its project settings. * Override for a specific SBOM version on the SBOM detail page. *** ## Setting TLP Classification ### On an Individual SBOM 1. Navigate to the Product, select the Environment, and open a Version. 2. Click the **Details** tab. 3. Find the **TLP Classification** field. 4. Click **Add Classification** (or the edit icon if one is already set). 5. Select a TLP level from the dropdown. 6. Click **Save**. To remove a classification, click the trash icon next to the current label. ### At the Project Level Set a default for all SBOMs within a project environment: 1. Navigate to the Product and select an Environment. 2. Click the **Settings** tab. 3. Find the **TLP Classification** setting. 4. Select a level. 5. Changes apply to new SBOMs. Existing SBOMs that have an explicit classification are not affected. ### At the Organization Level Set an organization-wide default inherited by all new projects: 1. Navigate to **Settings > Organization > Environment Defaults**. 2. Find the **TLP Classification** field. 3. Select a level. 4. Click **Save**. New projects inherit this default. Existing project settings are not retroactively changed unless you use the **Apply to All Projects** option. *** ## TLP and SBOM Downloads When downloading an SBOM, the TLP classification can be overridden at download time using the `tlpClassificationOverride` argument. This is useful when sharing SBOMs with different audiences — for example, generating a CLEAR version for public disclosure while keeping the stored copy as AMBER. ```bash # Download with a TLP override (via GraphQL) curl -X POST https://api.interlynk.io/lynkapi \ -H "Authorization: Bearer $INTERLYNK_SECURITY_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "query": "mutation { sbomDownload(id: \"\", tlpClassificationOverride: \"CLEAR\") { downloadUrl errors } }" }' ``` *** ## Common Questions **Does TLP affect vulnerability scanning or policy evaluation?** No. TLP is a metadata label for distribution control. It does not change how the platform scans vulnerabilities, evaluates policies, or scores compliance. **Can I set TLP on archived SBOMs?** Yes. The classification can be edited on any SBOM regardless of lifecycle state. **Is TLP visible in the ShareLynk view?** The effective TLP classification is visible to ShareLynk recipients so they understand the distribution constraints of the SBOM they are viewing. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.interlynk.io/product-guides/sbom-management/tlp-classification.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.