Describe the feature

xBOMs can contain information which the creator may consider sensitive and may wish to ensure that the xBOM is only shared with an appropriate audience. For example an SBOM may indicate the version of a component which is known to be vulnerable; the creator may not want that information to be widely known

Possible solutions

The Traffic Light Protocol (TLP) (see here) is a standard way of indicating how sensitive information be shared. CISA adopted Version 2.0 of the FIRST standard on November 1, 2022, By including a TLP property as part of the document metadata, the sharing conditions will be clearly defined.

Alternatives

Sharing artifacts such as xBOMs could be controlled by contractual means; however whilst this can work, there is nothing within the xBOM to indicate if the xBOM is subject to some restrictions as regards sharing. By explicitly including the sharing restrictions, there is no ambiqguity.

Additional context

The [CSAF standard (https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html)for sharing vulnerability information already includes TLP proerty.