Linux security list ‘unmanageable’ as AI bug reports flood in, says Torvalds
▼ Summary
– AI-detected bugs are not considered secret, and keeping them on private lists wastes everyone’s time and increases duplication.
– Private lists prevent reporters from seeing each other’s reports, worsening duplication.
– AI tools are beneficial only if they help, not if they create unnecessary work.
– The recommendation is to use AI productively to improve the overall experience.
The volume of AI-generated bug reports has become so overwhelming that Linus Torvalds now considers the Linux security mailing list nearly “unmanageable.” According to the project’s founder, these automated submissions are flooding a system designed for sensitive disclosures, creating a bottleneck that wastes everyone’s time.
Torvalds made clear that AI-detected bugs are, by their nature, almost never secret. Routing them through a private list, he argued, only compounds the problem. “Treating them on some private list is a waste of time for everybody involved,” he said. “And only makes that duplication worse because the reporters can’t even see each other’s reports.”
The kernel leader did not dismiss artificial intelligence outright. He acknowledged that AI tools can be great, but only when they genuinely assist rather than generate unnecessary friction. “Feel free to use them,” Torvalds advised, “but use them in a way that is productive and makes for a better experience.”
His comments highlight a growing tension in open-source security: as automation accelerates bug discovery, the human infrastructure for triaging those findings struggles to keep pace. For now, Torvalds is urging developers to think critically about how they deploy AI, ensuring that the technology reduces, rather than multiplies, the burden on maintainers.
(Source: The Verge)
