Linus Torvalds: AI-Powered Bug Hunters Are Making Linux Security List Nearly Unmanageable

The Situation

The Linux kernel's security mailing list is being overwhelmed by AI-generated bug reports. Multiple researchers using the same AI tools are independently discovering the same vulnerabilities and each submitting reports to the private list, creating a duplicate-handling burden that has become unmanageable. According to The Register, Torvalds described the situation as generating "unnecessary pain and pointless work."

Torvalds' Core Argument

The fundamental contradiction Torvalds identifies: "AI detected bugs are pretty much by definition not secret." If multiple researchers with AI tools will independently find the same vulnerability, routing it through a private mailing list serves no purpose.

His recommendation: "If you found a bug using AI tools, the chances are somebody else found it too." Do not just file a report — write a patch and add genuine value.

Maintainer Reality

• Kernel maintainers spend excessive time forwarding or acknowledging duplicate reports
• Already-fixed bugs are repeatedly re-reported
• Signal-to-noise ratio drops, making real threats harder to triage

A Contrasting View and Broader Tension

Kernel maintainer Greg Kroah-Hartman recently expressed more optimism about AI's usefulness for open source, highlighting that perspectives within Linux leadership are not uniform. The proliferation of AI security tools is accelerating vulnerability discovery while simultaneously straining the responsible disclosure processes that communities depend on. The tools have outpaced the norms — and the Linux kernel is feeling it first.