Linus Torvalds Says AI Bug Reports Make Linux Security List Unmanageable

Linus Torvalds said a surge of duplicate AI-generated vulnerability reports has made the Linux security mailing list almost entirely unmanageable [1, 2, 3].

This development highlights a growing tension between automated security tools and the human developers tasked with maintaining the world's most widely used open-source kernel. As AI tools lower the barrier for bug hunting, the resulting volume of noise threatens to obscure genuine threats and overwhelm the project's infrastructure.

Torvalds addressed the issue in a "State of the Kernel" post published in September 2023 [1, 3]. He said that the private security list is currently plagued by reports from different people using the same tools to find the same flaws ^[3].

"Everyone is using AI to report on the same flaws, most of which have already been fixed," Torvalds said ^[2].

This duplication has created a systemic bottleneck. Torvalds said the flood of reports has made the list nearly impossible to manage because of the enormous amount of redundancy ^[3]. He said that the current method of keeping these reports on a private list is a waste of time for everyone involved [1, 2].

According to Torvalds, bugs detected by AI are generally not secret by nature ^[1]. Because these tools are widely available, multiple users often discover the same vulnerability simultaneously, or discover a bug that the development team has already patched [2, 3].

To resolve these inefficiencies, the project is moving toward a new public system for security reports [1, 2]. Torvalds said that treating AI-detected bugs on a private list is inefficient since the nature of the detection method makes secrecy unlikely ^[1].