Linux creator Linus Torvalds has said that it has become almost impossible to manage the Linux kernel’s security mailing list due to the influx of AI-generated bug reports. Many of these reports duplicate issues already filed by other researchers using similar tools. Torvalds mentioned this in his weekly “State of the Kernel” post, where he announced the fourth release candidate of Linux 7.1.
“The ongoing flood of AI reports has made the security list almost unbearable, with a lot of duplication as different people are finding similar problems with the same devices,” Torvalds explained.
He said maintainers were spending most of their time simply forwarding reports to the right people or pointing out that an issue had already been fixed weeks or months earlier, often referencing public discussion.
Why Torvalds says private security list is the wrong place for AI bug reports
Torvalds pointed out that bugs identified by AI are not suitable for discussion on the project’s private security mailing list because the same tools used to detect them are available to everyone. He pointed out that AI-detected bugs are generally not secret, and discussing them privately would be a waste of time for everyone involved.
He also said that keeping the process private could make the problem of duplicate reports worse, because reviewers cannot see each other’s submissions.
How Torvalds wants developers to use AI for kernel security
Torvalds made it clear that he does not want AI tools to be excluded from kernel development. Instead, he encourages researchers to use these tools more effectively. “If you find a bug using AI tools, chances are someone else has already found it,” he wrote. “To add real value, read the documentation, create a patch, and build on what the AI has provided.
Avoid simply submitting a report without understanding the issue.” He also directed contributors to the project’s security documentation, which outlines the expectations for the report.
Maintainers clash over value of AI-generated reports
Torvalds’ comments differ from recent comments by fellow kernel maintainer Greg Kroah-Hartman. In March, Kroah-Hartmann told The Register that AI bug reports had shifted from low-quality submissions to actually useful contributions.
This disagreement highlights ongoing questions within open-source projects about how to incorporate AI-assisted security research without burdensome maintainers.
The issue is further highlighted by a separate proposal from Nvidia engineer Sasha Levin. Levin suggested a Linux kernel killswitch mechanism to allow administrators to temporarily disable vulnerable functions while waiting for a patch. Both points reflect increasing pressure on kernel security workflows as AI tools become more widely used by external researchers.
