Torvalds Offers Guidance as AI Bug Reports Clog Up Linux Security Workflow
Linux kernel maintainers are confronting a new operational problem tied to the rapid adoption of AI-assisted coding tools, as too many people are reporting the same vulnerabilities at the same time.
Linus Torvalds, in comments accompanying the fourth release candidate for Linux 7.1, said the kernel project’s private security mailing list has become difficult to manage because researchers using similar AI tools are repeatedly uncovering identical flaws and filing duplicate reports. The issue, he said, is consuming maintainer time that would be better spent fixing software.
AI systems can now scan large codebases for edge-case vulnerabilities and potential security defects at a scale previously impossible for individual researchers. But, echoing Torvalds, Linux maintainers say the output is creating redundant submissions, fragmented communication, and mounting triage work.
Torvalds did not criticize the use of AI itself. Instead, he argued that automated findings have limited value when contributors simply forward raw reports without validating them, understanding the underlying issue, or proposing a fix.
As Torvalds noted in his post, “AI tools are great, but only if they actually help, rather than cause unnecessary pain and pointless make-believe work. Feel free to use them, but use them in a way that is productive and makes for a better experience.”
He added: “If you found a bug using AI tools, the chances are somebody else found it too. If you actually want to add value, read the documentation, create a patch too, and add some real value on *top* of what the AI did. Don’t be the drive-by ‘send a random report with no real understanding’ kind of person. Ok?”
Send Reports to Relevant Maintainers
Recent changes to Linux security documentation state that vulnerabilities discovered through AI-assisted analysis should generally be treated as public issues rather than confidential disclosures. Maintainers argue that if multiple researchers can identify the same flaw with commonly available tools, secrecy provides little benefit.
Under the revised guidance, contributors are expected to send reports directly to relevant maintainers instead of routing them through the project’s private security list unless the issue represents a serious and actively exploitable vulnerability.
The documentation also raises the quality bar for submissions. Reports should include evidence that the bug can be reproduced, concise technical details, and ideally a tested patch. Maintainers are discouraging speculative reports based on theoretical attack chains or unverified AI output.
Developers may submit AI-assisted code, but responsibility for the software remains with the human contributor. The project also introduced disclosure requirements intended to clarify when AI tools played a role in producing code or patches.
Some maintainers are already integrating AI deeply into their workflows. Greg Kroah-Hartman, one of the project’s leading maintainers, has publicly discussed using automated systems to identify bugs and prepare fixes before submitting patches upstream.
The bottom line here is that automated analysis is playing a valuable role, but that the community must be aware of low-effort reporting that eats up time and energy without advancing a solution.
