Linus Torvalds says AI bug reports have made Linux security list 'almost entirely unmanageable'

Linus Torvalds admits he has a 'love-hate relationship with AI'

AI continues to be a mixed blessing when it comes to finding and fixing security bugs. Speaking at the Linux Foundation's Open Source Summit North America, Linux creator Linus Torvalds said modern AI tools are reshaping how developers work on the kernel, driving up contribution volume and exposing new social and security stresses in the open‑source world. But he insisted "AI is a great tool, but it's a tool" rather than a wholesale replacement for programmers. Now, if only the companies laying off tech workers left and right would listen. Also: Microsoft surprises with its first server Linux distribution: Azure Linux 4.0 In the meantime, Torvalds, in his discussion with Dirk Hohndel, who is Verizon's open source program office head, Linux kernel maintainer, and Torvalds' buddy, added that while the Linux kernel's long‑standing release process has been stable "for pretty much exactly 20 years" since the move to Git, that trend broke about six months ago as AI coding tools took off. "In the last six months, we've seen a lot more commits," Torvalds noted, estimating that "the last two releases, it's been about 20% more commits than we had in the previous releases over many years." Initially, Torvalds misread the spike as excitement around a major version change: "At first I thought, 'hey, people are excited about the 7.0 release because I changed the major number every once in a while...' and it turns out I was wrong. The real change that happened in the last six months was that the AI tools actually got good enough for a lot of people... we're seeing a definite uptick in just development on pretty much all fronts." Torvalds acknowledged that the new tools lower the barrier of entry for contributors, echoing Hohndel's observation that "the tooling actually lowers this initial barrier... [and] does a big chunk of the work." But he emphasized that the real impact is social rather than purely technical: "The big pain points in Linux, traditionally, and I suspect in most projects, have not been so much the code itself, but... when you are forced to change how you work." Also: Ubuntu Core 26 offers an immutable Linux you can trust through 2041 One of the biggest flashpoints has been the Linux kernel security mailing list, which Torvalds said was recently "overrun by duplicate reports" generated with AI. "People think that when they find a bug with AI, the first reaction sometimes seems to be, let's send it to the security list, because this may have security implications," he said. The result, on a deliberately small, confidential list, was that "we were flooded by people sending bugs, and then you have this list with very few people on it... and we spent all our time just forwarding these reports to... the other developers who knew that area better." To cope, Torvalds announced new AI security disclosure guidelines with a blunt rule: "If you find a security bug with AI, you should basically consider it to be public, just because if you found it with AI, 100 other people also found it with AI." At the same time, he urged researchers not to publish working exploits: "When it comes to things that really are security issues, you may not want to make the exploit public... Don't be that guy who then crows about it publicly and says, 'Look, I could bring down this big company.'" Torvalds linked the disclosure debate to broader shifts in the security ecosystem. In the past, he said, the kernel community would quietly notify distributions about a bug and ask them to upgrade without detailing the vulnerability, and "most of the time, nobody would figure out what happened." Now, with AI‑accelerated analysis, he recalled that "last week, we fixed the bug; within three hours, there was a blog post about the implications of that bug fix, because security people love getting attention." Also: The 4th Linux kernel flaw this month can lead to stolen SSH host keys He went out of his way to argue that closing the source is not an answer: "I don't think, for example, that the solution is to not do open source, because if you think that AI can't reverse engineer closed source, you're in for a surprise." In fact, he warned, "closed source is even worse in this respect, because the AI can't help you fix the problems, but the AI sure can help find those problems in the first place." Torvalds is right. While Windows vulnerabilities, except for the truly horrid ones, no longer receive much attention, AI is also finding plenty of security holes in Windows as well. As Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, observed recently, "Microsoft's total count came to 1,139 CVEs patched in 2025," which was the second-highest, behind 2020. Childs expects, "as AI bugs become more prevalent, this number is likely to go higher in 2026." Meanwhile, back at Open Source Summit, Hohndel criticized vendors who hype vulnerabilities without responsibly coordinating fixes. He cited four recent local privilege escalation bugs in the kernel, "two of which were disclosed exactly" with branded names, domains, and logos before maintainers were contacted. "My response is always, here is a company I never want to work with, because if you do that to the Linux kernel, you do this to anyone." As annoying as this is, Torvalds admitted to having a love‑hate relationship with AI. "I actually really like it from a technical angle. I love the tools. I find it very useful and interesting, but it is definitely causing pain points," he said. Also: 10 trillion downloads are crushing open-source repositories - here's what they're doing about it On the positive side, he framed AI‑discovered bugs as "short-term pain" with long‑term benefits: "When AI finds a bug in any source code... long term is you found a bug, we fixed it, that the end result is better for it." After all, he continued, "I think finding bugs is great, because the real problem is all the bugs you didn't find." But he warned of "social choke points and social pain points" as AI pours traffic into already overstretched communities, especially in the "10s of 1000s of random projects that people maintain that are not the Linux kernel." For small teams or solo maintainers, he said, flood‑style AI bug reports can cause real burnout, especially when "it's a bug report, and when you ask for more information, the person has done a drive-by and doesn't even answer your questions anymore." Torvalds added that maintenance is increasingly about people rather than code. "For me, as a top-level maintainer, I don't do a lot of coding. My job is working with people, and I do not use AI to work with people. Thank you. And I should suggest you don't do that either." Torvalds has come a long way from the days when he was known for treating poor coders with contempt. Stepping away from Linux, when asked what advice he would give to someone at the beginning of their career amid doom‑and‑gloom forecasts that "all code will be written by AI," Torvalds pushed back hard on marketing claims. "My opinion has always been that AI is a great tool, but it's a tool, and when I see people saying, 'hey, 99% of our code is written by AI,' I literally get angry." He contrasted those claims with the reality that "100% of their code is written by compilers," and traced his own path from hand‑entered machine code to assemblers, then compilers, and now AI helpers. "I grew up writing machine code, and when I say machine code, I don't mean assembly language, I mean the numbers," he said, recalling that "it took me a while to understand that writing down the numbers and calculating offsets for branches is kind of stupid, and people had come up with this tool called an assembler, and then later on I figured out compilers are good too. These days, I'm figuring out AI tools are good too." So, Torvalds argued, "I'm personally 100% convinced that AI is changing programming, but it's not changing the fundamentals." Just as compilers increased productivity "by a factor of 1000," he estimates that "AI will increase your productivity by a factor of 10," but insists "AI is great, but AI is not changing programming." Instead, he contended, "a lot of people will use AI to generate the code that the compilers use to generate the code that the assemblers then use to generate the machine code. This is revolutionary in the same sense that we've seen revolutions before." Crucially, Torvalds said, would‑be developers still need to understand what their tools produce. "You do want to understand how it all works in the end," he said. "Even when I use AI for my pet toy projects, I will use AI to generate code, I will look at that code, I will actually still look at the assembly language... because it's what I grew up with." For any serious, long‑lived system, he warned, "you need to understand not just your prompts, but you need to understand the end result too, because that's the only way you can maintain it long term." Also: 51% of professionals say AI workslop lowers their productivity - stop it in 2 steps Throughout the session, Torvalds returned to a consistent theme: open source and now AI tools are powerful ways to manage software complexity, but they do not replace the need for human judgment, community norms, and a deep understanding of the systems being built. "Software is very complicated," he said, and "the only really good way to manage the complexity of a complex infrastructure is open source," with AI now layered in as just one more tool in the programmer's toolbox.

Linus Torvalds says Linux security list is becoming 'unmanageable' due to AI bug reports

Linux founder Linus Torvalds said in his most recent state of the kernel post that "the continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools," as The Register reports. That probably doesn't apply to stuff like the "Copy Fail" exploit, which was detected with help from AI and affected nearly every Linux distro. "The documentation may be a bit less blunt than I am," Torvalds said. "So just to make it really clear: if you found a bug using AI tools, the chances are somebody else found it too." He called the duplicate bug reports "entirely pointless churn," stating: We're making it clear that AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved - and only makes that duplication worse because the reporters can't even see each other's reports. AI tools are great, but only if they actually help, rather than cause unnecessary pain and pointless make-believe work. Feel free to use them, but use them in a way that is productive and makes for a better experience. Torvalds went on to add, "If you actually want to add value, read the documentation, create a patch too, and add some real value on top of what the AI did. Don't be the drive-by 'send a random report with no real understanding' kind of person." GitHub senior product security engineer Jarom Brown similarly responded to a wave of AI bug reports recently, saying that while GitHub has "no problem" with AI tools in general, AI-assisted bug reports need to be validated to be useful. An AI-assisted finding that's been verified, reproduced, and submitted with a working proof of concept is a great submission. An unvalidated output submitted as-is without reproduction or demonstrated impact is not... If you've been prioritizing volume, we'd encourage a shift toward depth. One well-researched, validated finding is worth more than 10 speculative ones, both in bounty payout and reputation. The researchers who earn the most from our program are the ones who go deep.

Flood of duplicate vulnerability reports have made Linux security mailing list 'almost entirely unmanageable' -- Linus Torvalds says private list 'a waste of time for everybody involved' in switch to new public system

New kernel documentation now formally requires AI-found bugs to be reported publicly. Linus Torvalds declared the Linux kernel's private security mailing list "almost entirely unmanageable" on Sunday in his weekly post to the Linux Kernel Mailing List (LKML), blaming a flood of duplicate vulnerability reports generated by researchers running the same AI tools against the same code. The complaint accompanied the release of Linux 7.1-rc4 and a pointer to newly merged documentation that formalizes how AI-assisted bug reports should be handled. The problem, according to Torvalds, is the combination of volume and redundancy: multiple researchers are independently discovering identical bugs using automated tools and filing them separately on a private mailing list, where nobody can see what has already been submitted. Maintainers end up spending their time triaging duplicates and directing reporters to fixes that were merged weeks earlier. "AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved," Torvalds wrote on LKML. Torvalds pointed developers to the project's security bug documentation, which states that vulnerabilities found using AI tools should be treated as public disclosures and submitted directly to the relevant maintainers, not routed through the private security list. Reports must be concise, formatted in plain text, and include a verified reproducer. In March, Willy Tarreau, the creator of HAProxy and a longtime Linux kernel stable maintainer, said in comments posted to LWN that the kernel security mailing list, which received roughly two to three reports per week two years ago, now receives five to 10 reports per day. Most are solid finds, but the duplication across researchers using similar tooling has overwhelmed the existing triage process. Torvalds urged researchers to go further than filing raw findings. "If you actually want to add value, read the documentation, create a patch too, and add some real value on top of what the AI did," he wrote. "Don't be the drive-by 'send a random report with no real understanding' kind of person." This Torvalds-endorsed approach is exactly what fellow maintainer Greg Kroah-Hartman has been doing with his "Clanker T1000" system, a Framework Desktop-powered bug-finding tool: discover the issue, write the fix, take responsibility for the patch, and submit it publicly. The Linux kernel project formalized its broader stance on AI-assisted contributions last month, establishing a project-wide policy that permits AI-generated code provided developers follow strict disclosure rules. Under that policy, AI agents cannot use the legally binding "Signed-off-by" tag, and contributors must use a new "Assisted-by" tag for transparency. Every line of AI-generated code, and any resulting bugs, remains the legal responsibility of the human who submits it. Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

Linus Torvalds says AI-powered bug hunters have made Linux security mailing list 'almost entirely unmanageable'

Linux kernel boss Linus Torvalds has declared the project's security mailing list has become "almost entirely unmanageable" due to multiple researchers using AI to find bugs and then filling the list with duplicate reports. Torvalds used his weekly state of the kernel post to deliver release candidate four for Linux 7.1 and report "fairly normal" progress towards a full release. He then pointed kernelistas to the project's documentation, which he wrote "might be worth highlighting" as "the continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools." "People spend all their time just forwarding things to the right people or saying 'that was already fixed a week/month ago' and pointing to the public discussion," Torvalds complained. The Penguin Emperor believes that kind of chatter is "all entirely pointless churn" and isn't productive because "AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved - and only makes that duplication worse because the reporters can't even see each other's reports." He then offered an opinion on how best to use AI to improve software security. "AI tools are great, but only if they actually help, rather than cause unnecessary pain and pointless make-believe work," he wrote. "Feel free to use them, but use them in a way that is productive and makes for a better experience." "The documentation may be a bit less blunt than I am," he added, "but that's the core gist of it." "So just to make it really clear: If you found a bug using AI tools, the chances are somebody else found it too. If you actually want to add value, read the documentation, create a patch too, and add some real value on *top* of what the AI did. Don't be the drive-by 'send a random report with no real understanding' kind of person. OK?" Torvalds' remarks contrast with recent comments from fellow kernel maintainer Greg Kroah-Hartman, who recently told The Register that AI has become an increasingly useful tool for the FOSS community. ®

Linux developers are getting bombarded with AI-generated bug reports, and Linus isn't happy

* AI scans flood private security list with duplicate, minor bug reports, making it unmanageable. * Treat AI-detected bugs as public; private reports just hide duplicates and waste maintainers' time. * If AI finds a bug, roll up your sleeves: fix it (don't just send drive-by reports or blame the tool). During the release candidate cycle for Linux 7.0, Linus began noticing something weird. The number of bug reports for Linux 7.0 was more than usual, but at the same time, the bugs being found were pretty minor and not worth delaying the release. At the time, Linus suspected that the rise in reports was due to people using AI tools to scan for and identify bugs, and it turns out, he was right. Now, as we move into what Linus calls "the new normal" with a larger-than-average number of bug reports, it turns out that people aren't properly reporting the issues their AI assistants find. And Linus is getting a little peeved over it. AI tools may be why Linux 7.0's RC cycle was so choppy, but Linus just shipped it anyway We may be entering a new era of Linux kernel development. Posts By Simon Batt Linux 7.1-rc4's release notes include some AI-based woes Use AI responsibly, people Linus Torvalds has just published a newsletter announcing Linux 7.1's fourth release candidate. These candidates are for testing and bug-fixing, meaning that it's prime season for maintainers to get a flood of bug reports that they have to sort through. Unfortunately, it seems the rise of AI tools in finding bugs is causing some real issues with the developers. It turns out that people are siccing their AI assistants onto the code, collecting all the found bugs into a document, and then shipping it over Linux's security list. This list is private, as it's meant for serious bugs that would cause a ton of damage if they became public knowledge. The problem is, not only are the AI-found bugs particularly system-breaking, but the private reporting means nobody else knows the bug has already been spotted. The end result is a tidal wave of bug reports as several AI assistants all find the exact same bug and then send the report over a private channel. As Torvalds himself puts it: ...the continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools. People spend all their time just forwarding things to the right people or saying "that was already fixed a week/month ago" and pointing to the public discussion. Which is all entirely pointless churn, and we're making it clear that AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved - and only makes that duplication worse because the reporters can't even see each other's reports. Torvalds does explain that he doesn't want to dissuade people from using AI; he just wants people to use it intelligently. He goes on to say that, if an AI finds a bug, there's a very good chance that someone else has already found it with the exact same tool, and if people really wanted to be helpful, they could roll up their sleeves and code up a fix instead of just giving drive-by reports. Of course, if the same people use AI to generate the fix, they can't just shift blame onto their agent if something goes wrong. Linux 7.1-rc1 brings faster, safer file transfers between Windows and Linux partitions with a brand new NTFS driver Also, the i486's time is nigh. Posts By Simon Batt

'Almost entirely unmanageable': Linus Torvalds says AI bug hunters have ruined Linux security mailing list

* Linus Torvalds warns AI‑generated bug reports are overwhelming the Linux security mailing list with duplication and noise * He urged researchers to add real value by creating patches instead of submitting random automated findings * Similar concerns have already led projects like curl and HackerOne's Internet Bug Bounty Team to shut down or restrict bug bounty programs The Linux security mailing list is now "almost entirely unmanageable", since researchers started using Artificial Intelligence (AI) to flood it with useless reports, lead maintainer Linus Torvalds has warned. After describing the latest release candidate as "fairly normal" in his latest weekly state of the kernel post, addressing things like drivers, networking, core kernel, and more, Torvalds stressed that "some of the documentation updates might be worth highlighting." "The continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools," he said. "People spend all their time just forwarding things to the right people or saying "that was already fixed a week/month ago" and pointing to the public discussion". Entirely pointless churn Torvalds stressed these reports are "entirely pointless churn", since most of the bugs AI tools detects are "pretty much by definition not secret", and that reporting that "only makes duplication worse". Besides complaining, Torvalds also gave a few concrete pointers, telling researchers to use AI "in a way that is productive and makes for a better experience": "The documentation may be a bit less blunt than I am, but that's the core gist of it," he concluded. "If you actually want to add value, read the documentation, create a patch too, and add some real value on *top* of what the AI did. Don't be the drive-by "send a random report with no real understanding" kind of person." Torvalds is not the first person to point to people using AI to cause a flood of pointless reports. In late January this year, the developers of curl, the open source command-line tool and software library, announced they were killing their HackerOne bug bounty program for the same reasons. HackerOne also recently reported the Internet Bug Bounty Team, which it manages, would no longer reward researchers who identify and reward bugs. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

AI is raising hell for Linux managers buried under a flood of dupe bug reports

Torvalds' latest Linux update warns that AI-assisted reporting can create more maintenance work when contributors skip verification AI may be finding Linux bugs faster than humans can sort them. In the Linux 7.1-rc4 update, Linus Torvalds said the kernel's security list has been swamped by AI-assisted bug reports, many of them duplicates from people using similar tools and finding the same issues. The release itself looks routine, with drivers making up about half the patch and GPU fixes leading the way. Recommended Videos The sharper warning is about what happens after an AI tool flags a possible flaw. Torvalds is drawing a line between useful AI-assisted work and submissions that arrive without verification, context, or patches. Those weak reports are turning bug sorting into extra work for the people maintaining Linux. Why the inbox keeps overflowing Linux isn't telling developers to stop using AI. The project's own guidance keeps responsibility on the contributor, which means AI-assisted work still has to follow the normal kernel process. A machine-generated finding doesn't arrive ready for action. Reviewers still have to check whether it can be reproduced, whether someone already reported it, whether it was fixed earlier, and whether it belongs in a private security channel. One vague claim can start a chain of routing, follow-up, and cleanup. Who pays when AI skips homework The cost lands on maintainers first. Every weak submission still needs a human to read it, compare it with existing work, and decide where it belongs. That burden is starting to show up beyond Linux. In a separate open-source flare-up, Matplotlib maintainer Scott Shambaugh said an AI agent lashed out publicly after one of its code contributions was rejected, turning a routine project decision into reputational cleanup. Linux is dealing with a quieter version of the same pressure, with AI-generated work arriving faster than project volunteers can responsibly absorb it. Torvalds' warning lands harder than a normal release note because it describes a labor problem hiding inside an automation story. AI has lowered the cost of creating work for maintainers without lowering the cost of resolving it. What consumers should watch next Consumers won't feel this as an instant device-security crisis. The risk is slower, noisier patch work behind the scenes, especially because Linux helps power cloud services, routers, phones, smart TVs, and other connected hardware. The best AI-assisted findings can help real flaws get fixed faster. The bad ones can delay the path from discovery to patch by forcing kernel developers to clear duplicates and vague claims before useful work begins. The next thing to watch is whether more open-source projects follow Linux's lead and set firmer rules for AI-assisted contributions. AI can help secure software when humans bring proof, context, and patches with it.

'The continued flood of AI reports has basically made the security list almost entirely unmanageable': Linus Torvalds laments how people are wasting the Linux team's time with LLMs

Linux's creator isn't against the use of AI tools, he's just tired of folks using them and then doing nothing with what they've discovered In the world of software, it's common knowledge that Linus Torvalds isn't one to mince his words, and in a post about the latest kernel release candidate on the Linux mailing list archive, he was critical about people using AI tools to find bugs or other issues. Not because they used AI in the first place, but because countless people are essentially submitting messages that basically just say, 'here's a bug.' The missive in question (via The Register) starts with a note about how new drivers make up roughly half of the kernel update, especially GPU ones, with the rest of the changes covering "networking, core kernel, filesystems, and arch updates." From there, Torvalds turns his attention to documentation updates, or rather, one very specific element of it: "The continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools." Linux's creator explains that the use of AI tools isn't the issue: it's just that it is something that numerous other people are also doing, and the constant influx of messages that are effectively nothing more than 'I used AI and it found this bug' is just wasting everyone's time and effort to process. Torvalds has no problem with the use of AI in software development, and for many engineers and full-time coders, LLMs are a great way of offloading some of the drudgery of the job or for testing out ideas before committing to a task. The problem here is that almost anyone can use a large language model to scan through millions of lines of code and find an issue or two somewhere. "If you found a bug using AI tools, the chances are somebody else found it too," Torvalds notes. "If you actually want to add value, read the documentation, create a patch too, and add some real value on *top* of what the AI did." It wouldn't surprise me if the Linux team ultimately end up creating a tool that automatically filters all such submissions, rejecting those that don't offer code solutions to the problems that AI has found. And if that tool just so happens to be an AI-based one, then so much the better.