← Back to articles

Linus Torvalds says flood of duplicate AI-generated vulnerability reports have made Linux security mailing list 'almost entirely unmanageable' — private list 'a waste of time for everybody involved' in switch to new public system

2026-05-18 | original

read original get Linux Security Mailing List Archive → more articles

Why This Matters

Linus Torvalds highlights how AI-generated duplicate vulnerability reports have overwhelmed Linux's private security mailing list, making it nearly unmanageable. This shift underscores the need for better coordination and standardized reporting practices to improve security response efficiency. The move towards public disclosures aims to streamline vulnerability handling and reduce redundant efforts in the tech industry.

Key Takeaways

AI tools are causing a surge in duplicate vulnerability reports, overwhelming security channels.
Linux now recommends direct, public submissions of AI-discovered bugs to improve triage efficiency.
Standardized, concise reporting with added value like patches is encouraged to enhance security responses.

Linus Torvalds declared the Linux kernel's private security mailing list "almost entirely unmanageable" on Sunday in his weekly post to the Linux Kernel Mailing List (LKML), blaming a flood of duplicate vulnerability reports generated by researchers running the same AI tools against the same code. The complaint accompanied the release of Linux 7.1-rc4 and a pointer to newly merged documentation that formalizes how AI-assisted bug reports should be handled.

The problem, according to Torvalds, is the combination of volume and redundancy: multiple researchers are independently discovering identical bugs using automated tools and filing them separately on a private mailing list, where nobody can see what has already been submitted. Maintainers end up spending their time triaging duplicates and directing reporters to fixes that were merged weeks earlier.

"AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved," Torvalds wrote on LKML.

Latest Videos From

Torvalds pointed developers to the project's security bug documentation, which states that vulnerabilities found using AI tools should be treated as public disclosures and submitted directly to the relevant maintainers, not routed through the private security list. Reports must be concise, formatted in plain text, and include a verified reproducer.

In March, Willy Tarreau, the creator of HAProxy and a longtime Linux kernel stable maintainer, said in comments posted to LWN that the kernel security mailing list, which received roughly two to three reports per week two years ago, now receives five to 10 reports per day. Most are solid finds, but the duplication across researchers using similar tooling has overwhelmed the existing triage process.

Torvalds urged researchers to go further than filing raw findings. "If you actually want to add value, read the documentation, create a patch too, and add some real value on top of what the AI did," he wrote. "Don't be the drive-by 'send a random report with no real understanding' kind of person."

This Torvalds-endorsed approach is exactly what fellow maintainer Greg Kroah-Hartman has been doing with his “Clanker T1000” system, a Framework Desktop-powered bug-finding tool: discover the issue, write the fix, take responsibility for the patch, and submit it publicly.

Stay On the Cutting Edge: Get the Tom's Hardware Newsletter Get Tom's Hardware's best news and in-depth reviews, straight to your inbox. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

The Linux kernel project formalized its broader stance on AI-assisted contributions last month, establishing a project-wide policy that permits AI-generated code provided developers follow strict disclosure rules.

... continue reading

Explore topics: linux kernel ai vulnerability reports linux security mailing list linus torvalds haproxy