Linus Torvalds Says AI Bug Reports Have Made Linux Security

Linus Torvalds has warned that a “continued flood” of AI-generated bug reports is rendering the Linux security mailing list “almost entirely unmanageable.” In response, the project is tightening its rules for reporting and handling AI-discovered issues.

In the Linux 7.1‑rc4 announcement, Torvalds noted that the security list is being overwhelmed by AI‑assisted reports, many of which describe the same flaws found by multiple people running the same tools.

He called this “pointless churn,” stressing that maintainers are wasting time forwarding duplicates or replying that issues were fixed “a week/month ago” instead of writing code.

Linus Torvalds on AI Bug Reports

Torvalds also emphasized that bugs discovered via automated or AI tools are “pretty much by definition not secret,” arguing they should not be treated as sensitive zero‑days that require private handling.

According to him, routing these findings through private lists only hides duplicates from each other and amplifies the overload.

Ahead of 7.1, the kernel tree merged updated “security‑bugs” documentation that formally defines what counts as a true security vulnerability and how AI‑assisted reports must be triaged.

The private security list is now explicitly reserved for urgent, easily exploitable bugs that cross a clear trust boundary and affect many users on properly configured production systems.

For AI‑detected issues, the documentation states they should generally be treated as public, because such bugs “systematically surface simultaneously across multiple researchers, often on the same day.”

Reporters are told to avoid posting full reproducers or exploits publicly; instead, note that one exists and provide it privately on request from maintainers.

Kernel maintainers have also laid down stricter quality expectations for AI‑assisted submissions.

Quality Requirements For AI Bug Reports

Reports must be concise, in plain text (no heavy formatting), and focus on concrete, verifiable impact rather than speculative “what if” chains.

The guidance requires reporters actually to reproduce the AI‑flagged issue, include a tested reproducer, and, ideally, propose and test a patch instead of firing off drive‑by reports generated by tools they do not fully understand.

Torvalds also said this in his mail, urging contributors to “add some real value on top of what the AI did” and not be “the drive‑by ‘send a random report with no real understanding’ kind of person.”

Torvalds and other maintainers are not rejecting AI outright; earlier comments credited modern tools with helping uncover subtle corner‑case bugs and marking this volume as a “new normal” for kernel development.

The problem, they say, is process: unfiltered AI‑generated reports routed as private “security” issues are burning review bandwidth and slowing real vulnerability response.

By clarifying that AI‑found bugs are not inherently confidential and tightening triage rules, the kernel project is trying to keep automated discovery useful without letting it paralyze the security workflow.

For researchers and tool users, the message is clear: AI is welcome, but only when it leads to high‑signal reports, public tracking of non‑sensitive flaws, and patches that actually improve Linux security.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.