The creator of Linux, Linus Torvalds, has said that the linux The kernel security mailing list has become nearly impossible to manage due to an influx of AI-generated bug reports. Many of these reports duplicate issues already presented by other researchers using the same tools. Torvalds mentioned this in his weekly “state of the kernel” post, where he announced the fourth release candidate of Linux 7.1.
“The continuous flood of AI reports has made the security list almost unmanageable, with a lot of duplication because different people find the same problems with the same tools,” Torvalds explained.
He added that maintainers spend most of their time simply sending reports to the right people or pointing out that an issue was already fixed weeks or months earlier, often referencing public discussion.
Why Torvalds says the private security list is the wrong place for AI bug reports
Torvalds noted that the bugs identified by AI are not suitable for discussion on the project’s private security mailing list because the same tools used to detect them are available to everyone. He explained that errors detected by AI are generally not secret and discussing them privately would be a waste of time for everyone involved.
He also noted that keeping this process private can worsen the problem of duplicate reports, since reviewers cannot see each other’s submissions.
How Torvalds wants developers to use AI for kernel security
Torvalds clarified that he does not want artificial intelligence tools to be excluded from kernel development. Instead, it encourages researchers to use these tools more effectively. “If you find a bug using AI tools, chances are someone has already found it,” he wrote. “To add real value, read the documentation, create a patch, and take advantage of what the AI has provided.
Avoid simply submitting a report without understanding the problem.” He also directed contributors to the project’s security documentation, which outlines reporting expectations.
Maintainers clash over value of AI-generated reports
Torvalds’ comments differ from recent comments by fellow kernel maintainer Greg Kroah-Hartman. In March, Kroah-Hartman told The Register that AI bug reports had gone from low-quality submissions to genuinely useful contributions.
This disagreement highlights current questions within open source projects about how to incorporate AI-assisted security research without overwhelming maintainers.
The issue is further underlined by a separate proposal from Nvidia engineer Sasha Levin. Levin suggested a Linux kernel kill mechanism to allow administrators to temporarily disable vulnerable features while waiting for patches. Both points reflect increasing pressure on the kernel security workflow as AI tools are increasingly used by outside researchers.
