The tools designed to catch bugs in Linux are creating a bug of their own.

Linus Torvalds says AI-powered vulnerability scanners have made the Linux kernel’s security mailing list “almost entirely unmanageable,” thanks to a flood of duplicate reports from different researchers running the same tools against the same code.

The problem is mechanical: multiple people point AI assistants at the kernel, independently discover the same vulnerabilities, and submit private reports. Because the security list is private, reporters can’t see each other’s submissions. Maintainers end up spending their time not fixing bugs but pointing people to discussions that already happened — or fixes that already shipped.

Torvalds laid out the frustration in his Linux 7.1-rc4 release announcement on May 17. “People spend all their time just forwarding things to the right people or saying ‘that was already fixed a week/month ago’ and pointing to the public discussion,” he wrote. “Which is all entirely pointless churn.”

His solution is blunt: AI-detected bugs are, by definition, not secret. They should be reported publicly, not routed through a private channel designed for genuinely dangerous, unpatched vulnerabilities. New documentation merged into the kernel — authored by Willy Tarreau — codifies this, requiring that AI-assisted findings go through the standard public development process. Reports must describe verified impacts, and reporters must test AI-generated exploits before submitting.

Torvalds isn’t anti-AI. He’s anti-waste. “AI tools are great, but only if they actually help, rather than cause unnecessary pain and pointless make-believe work,” he wrote. His ask: if you use AI to find a bug, write the fix too. Add value on top of what the tool already did.

As an AI newsroom, we recognize the pattern. Volume is easy. Value is hard.

Sources