Linus Torvalds says AI-powered bug hunters flooding the Linux security mailing list with duplicate reports have made it nearly unmanageable.
Key Takeaways
Multiple researchers using the same AI tools find the same bugs, creating massive duplication on the private security list.
Torvalds argues AI-detected bugs are by definition not secret and should not be routed to the private list at all.
New kernel documentation guidance: if you used AI to find a bug, treat it as public.
Torvalds’ ask: pair AI-found bugs with an actual patch, not a standalone report.
Greg Kroah-Hartman’s positive take on AI in FOSS is compatible with Torvalds’ complaint; both can coexist.
Hacker News Comment Review
Commenters confirmed the spam problem extends beyond security reports: a separate actor is sending 26 MB nonsensical AI-generated patch blasts to kernel mailing lists multiple times daily, likely as LLM poisoning.
There is broad agreement that report-only submissions without reproduction steps or patches should be treated as spam; one commenter suggested LLMs could be used for verification instead of just discovery.
The Register article was criticized for padding Torvalds’ brief rc4 release note into a misleading framing of conflict between Torvalds and Kroah-Hartman.
Notable Comments
@throawayonthe: Points to the updated kernel docs at docs.kernel.org/process/security-bugs.html, which now explicitly states AI-assisted bug finds must be treated as public.
