“Almost completely unmanageable”: Linus Torvalds says AI bug hunters have ruined the Linux security mailing list

Linus Torvalds warns that AI-generated bug reports overwhelm Linux security mailing list with duplication and noise
He urged researchers to add real value by creating patches instead of submitting automated and random results.
Similar concerns have already led projects like curl and HackerOne’s Internet Bug Bounty team to shut down or restrict bug bounty programs.

The Linux security mailing list is now “almost entirely unmanageable” since researchers began using artificial intelligence (AI) to flood it with useless reports, senior maintainer Linus Torvalds has warned.

After describing the latest release candidate as “pretty normal” in his latest Weekly State of the Kernel article, covering things like drivers, networking, core kernel, and more, Torvalds pointed out that “some of the documentation updates might be worth highlighting.”

“The steady stream of AI reports has made the safety list almost entirely unmanageable, with huge duplications due to different people finding the same things with the same tools,” he said. “People spend all their time just passing things on to the right people or saying ‘this was already fixed a week/month ago’ and pointing the finger at the public debate.”

Totally unnecessary unsubscription

Torvalds pointed out that these reports are “completely useless,” since most bugs detected by AI tools are “pretty much by definition not secret,” and that these reports “only lead to more duplication.”

Besides complaining, Torvalds also gave some concrete advice, telling researchers to use AI “in a way that is productive and allows for a better experience”:

“The documentation may be a little less brutal than I am, but that’s the main thing,” he concluded. “If you really want to add value, read the documentation, also create a patch and add real value on top of what the AI did. Don’t be the ‘send a random report with no real understanding’ type.

Torvalds is not the first person to point to people using AI to cause a flood of unnecessary reporting. In late January of this year, the developers of curl, the open source command line tool and software library, announced that they were removing their HackerOne bug bounty program for the same reasons.

HackerOne also recently reported that the Internet Bug Bounty team, which it manages, would no longer reward researchers who identify and reward bugs.