Linus Torvalds Says AI Bug Hunters Make Linux Security List "Almost Entirely Unmanageable"

Source: The Register — Simon Sharwood
Date: 2026-05-18

---

TL;DR

Multiple researchers running the same AI tools on the same codebase are flooding the private Linux kernel security mailing list with identical bug reports. Torvalds calls it "entirely pointless churn" that creates "unnecessary pain and pointless work." His solution: AI bug hunters must check for duplicates themselves, and should only submit if they've also created a patch that adds real value beyond what the AI detected.

---

The Problem

In his weekly kernel status update for Linux 7.1 Release Candidate 4, Torvalds laid into the flood of AI-generated security reports:

"The continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools."

The root cause: multiple researchers using identical AI tools independently find the same bugs, and the private nature of the security list means reporters can't see each other's submissions — making the duplication worse.

Torvalds estimates maintainers waste their time simply forwarding reports to the right people or pointing out "that was already fixed a week/month ago."

---

Torvalds' Prescription

1. Check for duplicates — AI-found bugs are almost always found simultaneously by multiple people. Do the legwork yourself.
2. Don't be a "drive-by" reporter — sending random reports with no real understanding is worse than useless
3. Add real value — read the project documentation and create a patch that builds something on top of what the AI detected
4. Use public channels — non-secret AI-discovered bugs don't belong on the private security list; being private hides reports from other researchers, making the duplication crisis worse

"If you found a bug using AI tools, the chances are somebody else found it too. If you actually want to add value, read the documentation, create a patch too, and add some real value on top of what the AI did."

---

Contrast: Greg Kroah-Hartman

Fellow kernel maintainer Greg Kroah-Hartman recently took a more measured view, telling The Register that AI has become an increasingly useful tool for the FOSS community.

---

My Take

Torvalds is right that the current incentive structure encourages spam: AI tools make bug-finding cheap, bug-reporting is free, and there's no penalty for flooding a list with duplicates because the cost falls entirely on volunteer maintainers. The private security list amplifies the problem by design. His fix — "add value on top of what the AI did" — raises the bar from zero-effort reports to something that actually helps. Expect other open-source projects facing the same flood to adopt similar norms or tooling (dedup bots, public-first AI report pipelines) soon.