Linus Torvalds Says AI Bug Reports Overwhelm Linux Security Mailing List

Linus Torvalds said on May 18 that the flood of AI-generated security bug reports has made the Linux security mailing list “almost entirely unmanageable.” He said enormous duplication arises from different people submitting reports of the same issues using similar AI tools. “People spend all their time just forwarding things to the right people or saying 'that was already fixed a week/month ago' and pointing to the public discussion. Which is all entirely pointless churn,” he added ^{[1, 2, 3, 4]}.

Torvalds explained that bugs detected by AI tools are generally not secret. Handling these reports privately wastes time and increases duplication, since reporters cannot see others’ findings. “AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved - and only makes that duplication worse because the reporters can't even see each other's reports,” he said ^{[5, 2, 3, 4]}.

Instead of submitting simple AI-generated reports, Torvalds encouraged users to add real value by reading documentation, creating patches, and contributing meaningful fixes. “If you actually want to add value, read the documentation, create a patch too, and add some real value on top of what the AI did. Don't be the drive-by 'send a random report with no real understanding' kind of person,” Torvalds said ^{[2, 3, 4]}.

GitHub senior product security engineer Jarom Brown echoed this approach. He called for validating AI-assisted bug reports by verifying and reproducing them and submitting working proofs of concept. “An AI-assisted finding that's been verified, reproduced, and submitted with a working proof of concept is a great submission. An unvalidated output submitted as-is without reproduction or demonstrated impact is not... One well-researched, validated finding is worth more than 10 speculative ones,” Brown said ^[3].

Torvalds emphasized that the problem is not the AI tools themselves, but the massive volume of duplicate, low-value reports which overload maintainers and waste their time ^{[2, 3, 4]}.

On May 17, Linux kernel version 7.1-rc4 was released. It includes updated documentation clarifying what constitutes a security bug and offers guidance on responsible AI use in kernel development and bug hunting ^{[6, 5, 2]}. This update aims to help reduce the flood of duplicated AI-generated bug reports and improve report quality.

Linux developers and researchers will watch the impacts of these documentation changes as they work on keeping the mailing list manageable while encouraging useful contributions.