Torvalds says AI bug reports are flooding Linux security lists

Linus Torvalds said a flood of AI-generated bug reports has made the Linux security list “almost entirely unmanageable,” turning a core part of the project’s defense process into a duplication machine. In his Linux kernel mailing list post announcing Linux 7.1-rc4, Torvalds said maintainers were spending their time forwarding reports or telling submitters that an issue had already been fixed.

The complaint landed as the kernel tree merged updated security guidance in Documentation/process/security-bugs.rst. That documentation, developed in a patch series by Willy Tarreau, was aimed in part at AI-assisted reports and says manual verification matters. It also says reports that include a verified issue and a proposed fix typically meet quality standards, while unverified submissions often lack context, include speculative impact assessments, or arrive in awkward formatting that slows triage.

Torvalds framed the problem as one of overload, not a lack of bug-finding power. His point was that multiple researchers are now using the same tools and finding the same vulnerabilities at roughly the same time, which creates duplicate submissions and “unnecessary pain and pointless work” for maintainers. In that setting, the private Linux security mailing list becomes a bottleneck, especially when the issue is not truly secret and the same report is landing from several directions at once.

The new guidance sharpens that distinction. It emphasizes Linux’s threat model and warns that AI-assisted reports can overstate theoretical consequences without showing concrete exploitable harm. It also makes clear that many of these findings may be better suited to public discussion, while the private security list should be reserved for urgent, clearly security-relevant vulnerabilities. That approach reflects a practical shift inside the kernel community: use AI to help discover bugs, but do not let AI noise consume the people responsible for sorting genuine risk from repetitive chatter.

The discussion around the patch series involved Greg Kroah-Hartman, Jonathan Corbet and Leon Romanovsky, all of whom reviewed and debated how the kernel should handle the new wave of machine-generated reports. Their exchange underscored a broader governance problem across open-source infrastructure. AI can widen the net for vulnerability discovery, but it can also flood the pipeline with low-value submissions, delay response to real issues and impose a hidden tax on volunteer maintainers who keep critical software secure.