Linus Torvalds: AI-Powered Bug Hunters Are Making Linux Security List Nearly Unmanageable
Original: Linux security mailing list 'almost unmanageable' View original →
The Situation
The Linux kernel's security mailing list is being overwhelmed by AI-generated bug reports. Multiple researchers using the same AI tools are independently discovering the same vulnerabilities and each submitting reports to the private list, creating a duplicate-handling burden that has become unmanageable. According to The Register, Torvalds described the situation as generating "unnecessary pain and pointless work."
Torvalds' Core Argument
The fundamental contradiction Torvalds identifies: "AI detected bugs are pretty much by definition not secret." If multiple researchers with AI tools will independently find the same vulnerability, routing it through a private mailing list serves no purpose.
His recommendation: "If you found a bug using AI tools, the chances are somebody else found it too." Do not just file a report — write a patch and add genuine value.
Maintainer Reality
- Kernel maintainers spend excessive time forwarding or acknowledging duplicate reports
- Already-fixed bugs are repeatedly re-reported
- Signal-to-noise ratio drops, making real threats harder to triage
A Contrasting View and Broader Tension
Kernel maintainer Greg Kroah-Hartman recently expressed more optimism about AI's usefulness for open source, highlighting that perspectives within Linux leadership are not uniform. The proliferation of AI security tools is accelerating vulnerability discovery while simultaneously straining the responsible disclosure processes that communities depend on. The tools have outpaced the norms — and the Linux kernel is feeling it first.
Related Articles
Google said it is pairing new funding with AI-powered security tooling to help open source maintainers respond faster as AI increases both vulnerability discovery and attack pressure. The announcement combines a collective $12.5 million pledge through Alpha-Omega with wider use of tools such as Big Sleep, CodeMender, and Sec-Gemini.
A public issue carrying hostile instructions became the evidence HN needed for a sharper debate about agent permissions.
Anthropic said on March 17, 2026 that open source security is becoming more important as AI grows more capable. In its X post, the company said it is donating to the Linux Foundation to help secure the software foundations AI depends on.