Linus Torvalds: AI bug hunters are making Linux's security list unmanageable

Linux kernel creator Linus Torvalds has delivered a blunt warning to AI-powered bug hunters, saying the flood of automated vulnerability reports has overwhelmed the project's security mailing list and is creating more work than it solves.

The remarks came in Torvalds' weekly release note for Linux 7.1-rc4, published on May 17, in which he flagged routine kernel progress before turning his attention to a growing operational headache. Drivers account for roughly half the patch, with GPU updates leading, "as is tradition," he noted, alongside networking, core kernel, filesystem, and architecture changes.

But it was an update to the project's documentation that he singled out as deserving attention. The security mailing list, he wrote, has been rendered "almost entirely unmanageable" by a relentless wave of AI-generated bug reports, with "enormous duplication due to different people finding the same things with the same tools."

Maintainers, he said, are burning time simply routing reports to the right people or informing submitters that the issue in question was already fixed "a week/month ago," with a pointer to the existing public discussion. Which is all entirely pointless churn," Torvalds wrote.

His position is that bugs surfaced by AI tools are "pretty much by definition not secret," making a private security list the wrong venue and one that actively worsens duplication, since reporters cannot see what others have already submitted.

Torvalds was careful not to dismiss AI outright. "AI tools are great," he wrote, "but only if they actually help, rather than cause unnecessary pain and pointless make-believe work." The problem, in his view, is not the technology but how it is being used.

His advice to contributors was pointed: if an AI tool found a bug, the odds are high that someone else found it too. Adding real value means going further, reading the documentation, writing a patch, and building meaningfully on what the AI surfaced. "Don't be the drive-by 'send a random report with no real understanding' kind of person," he wrote.

The remarks reflect a friction emerging across open-source development as AI lowers the barrier to finding vulnerabilities without necessarily raising the quality or coordination of what gets reported, leaving human maintainers to absorb the noise.