Linux Linus Torvalds AI security open source kernel development

Linus Torvalds: AI Bug Hunters Are Drowning the Linux Security List in Duplicate Garbage

18 May 2026

Linus Torvalds has criticised the flood of AI-generated bug reports overwhelming the Linux kernel's security mailing list, saying mass duplication from multiple researchers using the same tools has made it "almost entirely unmanageable." He argues that AI-detected bugs are not secret by nature and should not be submitted to a private list, where reporters cannot see each other's duplicate reports, creating pointless extra work. Torvalds urged researchers to go further than simply filing AI-generated reports by also developing patches and adding genuine understanding, rather than submitting drive-by reports with no real context.

Linus Torvalds has had enough. In his weekly kernel status post accompanying the release of Linux 7.1 release candidate four, the man himself described the project's security mailing list as 'almost entirely unmanageable' — and pointed the finger squarely at AI-powered bug hunting tools.

The problem isn't that AI is finding bugs. It's that dozens of researchers are running the same tools against the same codebase and then dutifully filing identical reports, apparently without checking whether anyone else has already done exactly that. Maintainers are now spending their days either forwarding messages to the right people or typing some variation of 'yes, that was fixed three weeks ago' over and over again.

Torvalds is not impressed. He called it 'entirely pointless churn' and made an argument that's hard to argue with: bugs found by AI tools are, almost by definition, not secret. Running them through a private security list makes the duplication problem worse, not better, because reporters can't see what's already been submitted.

His advice was characteristically blunt. If you found something with an AI tool, assume someone else found it too. If you actually want to contribute, read the documentation, write a patch, and add something that required a human brain. 'Don't be the drive-by send a random report with no real understanding kind of person,' he wrote. The 'OK?' at the end of that sentence was doing a lot of heavy lifting.

Torvalds was careful to say he's not anti-AI. The tools are fine, he noted, as long as they're used in ways that actually help rather than just generating noise and busywork for overextended maintainers.

This sits in mild tension with comments from fellow kernel maintainer Greg Kroah-Hartman, who recently told us that AI has been growing into a genuinely useful tool for the open source community. Both things can be true, of course. The tools aren't the problem. The workflow around them is.

The Linux project's documentation has apparently been updated to address all this, though Torvalds acknowledged it's phrased somewhat more diplomatically than he tends to be. Shocking.