Linus Torvalds says flood of duplicate AI-generated vulnerability reports have made Linux security mailing list 'almost entirely unmanageable' — private list 'a waste of time for everybody involved' in switch to new public system

Linus Torvalds declared the Linux kernel's private security mailing list "almost entirely unmanageable" on Sunday in his weekly post to the Linux Kernel Mailing List (LKML), blaming a flood of duplicate vulnerability reports generated by researchers running the same AI tools against the same code. The complaint accompanied the release of Linux 7.1-rc4 and a pointer to newly merged documentation that formalizes how AI-assisted bug reports should be handled.

The problem, according to Torvalds, is the combination of volume and redundancy: multiple researchers are independently discovering identical bugs using automated tools and filing them separately on a private mailing list, where nobody can see what has already been submitted. Maintainers end up spending their time triaging duplicates and directing reporters to fixes that were merged weeks earlier.

"AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved," Torvalds wrote on LKML.

Latest Videos From

Torvalds pointed developers to the project's security bug documentation, which states that vulnerabilities found using AI tools should be treated as public disclosures and submitted directly to the relevant maintainers, not routed through the private security list. Reports must be concise, formatted in plain text, and include a verified reproducer.

In March, Willy Tarreau, the creator of HAProxy and a longtime Linux kernel stable maintainer, said in comments posted to LWN that the kernel security mailing list, which received roughly two to three reports per week two years ago, now receives five to 10 reports per day. Most are solid finds, but the duplication across researchers using similar tooling has overwhelmed the existing triage process.

Torvalds urged researchers to go further than filing raw findings. "If you actually want to add value, read the documentation, create a patch too, and add some real value on top of what the AI did," he wrote. "Don't be the drive-by 'send a random report with no real understanding' kind of person."

This Torvalds-endorsed approach is exactly what fellow maintainer Greg Kroah-Hartman has been doing with his “Clanker T1000” system, a Framework Desktop-powered bug-finding tool: discover the issue, write the fix, take responsibility for the patch, and submit it publicly.

The Linux kernel project formalized its broader stance on AI-assisted contributions last month, establishing a project-wide policy that permits AI-generated code provided developers follow strict disclosure rules.

Under that policy, AI agents cannot use the legally binding "Signed-off-by" tag, and contributors must use a new "Assisted-by" tag for transparency. Every line of AI-generated code, and any resulting bugs, remains the legal responsibility of the human who submits it.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.