The brouhaha in the press over a possible serious set of vulnerabilities in a basic Internet protocol has led one well-known security researchers to call for the creation of "council" to vet future claims and clarify the risk of supposed flaws.

On Friday, Dan Kaminsky -- the director of penetration testing for security firm IOActive -- called for a group of security researchers to volunteer to sign nondisclosure agreements with prospective vulnerability reporters, so that they can check out future claims of security issues. The goal of the initiative would be to tame the hyperbole that inevitably appears in the press following claims of a severe security flaw that does not include details of the vulnerability, Kaminsky said.

"The (current) partial disclosure path produces a lot of noise, but not a lot of actionable intelligence," Kaminsky told SecurityFocus. "And if there is no actionable intelligence, then no one is going to do anything."

The call of a council of researchers came after two network engineers in Sweden claimed last week that they had found ways to attack a set of serious vulnerabilities in the Transmission Control Protocol (TCP), the standard for communicating data on networks including the Internet. While the two researchers -- Jack Louis and Robert E. Lee of Outpost24 -- are considered experts in the industry, some researchers have doubted whether they have found anything new. The criticisms, which are playing out in public postings online and in the press, follow the same trajectory as those leveled against Kaminsky after he found a way to attack the domain-name system (DNS) in July.

Kaminsky acknowledged the irony of the situation, arguing that his decision to partially disclose the DNS flaw has led the media and others to readily believe claims of serious bugs without supporting evidence.

"These are friends of mine that are kind of getting screwed by a template that I have left out there," he said. "That is the kind of land mine that people are hitting right now."

If you have tips or insights on this topic, please contact SecurityFocus.