...

Traffic Light Protocol (TLP)

...

The

...

Traffic

...

Light

...

Protocol

...

(TLP)

...

has

...

been

...

adopted

...

for

...

a

...

standards-track

...

by

...

FIRST

...

[140

...

].

...

By

...

marking

...

a

...

document

...

with

...

a

...

TLP

...

level—Red,

...

Amber,

...

Green,

...

or

...

White—a

...

sender

...

can

...

easily

...

communicate

...

the

...

sensitivity

...

of

...

vulnerability

...

information

...

and

...

expectations

...

about

...

sharing

...

it

...

further.

...

In

...

the

...

context

...

of

...

CVD,

...

the

...

following

...

applies:

• TLP:GREEN and TLP:AMBER are best suited for information shared between reporters, vendors, and coordinators during phases prior to public announcement of a vulnerability.
• If pre-publication announcements are made to deployers or other stakeholders, TLP:RED or TLP:AMBER could be a good fit.
• TLP:WHITE is most useful for public disclosures.

See Appendix B for more on TLP.

Don't Automatically Trust Reports

There are two reasons that organizations receiving vulnerability reports should maintain a degree of wariness regarding the reports they receive. The first is intentional misdirection of your CVD capability, which we already discussed in Section 4.3.1.1. The second is subtler, in that the technical infrastructure you deploy to manage CVD cases can potentially be affected by the vulnerabilities you are coordinating.

...