Linus Torvalds flags AI bug‑report flood

Linus Torvalds’ complaint is not really about AI as a coding tool. It is about what happens when many people use the same tools on the same codebase, then send the results into a workflow built for scarce, high-signal security reports. In a May 17 post accompanying Linux 7.1-rc4, Torvalds said the kernel security mailing list had become “almost entirely unmanageable” because of a “continued flood of AI reports” and “enormous duplication.” The immediate target was the Linux kernel’s private security list, which the project’s documentation says is meant for security bugs that need verification and coordinated handling by security officers and maintainers. That process assumes each report brings real analysis. Torvalds said maintainers were instead spending time forwarding messages to the right people or replying that the issue had already been fixed in public discussion. (theregister.com) ### Why did Torvalds single out AI-generated reports? Torvalds said the problem was duplication, not the existence of AI tools themselves. In his May 17 note, he wrote that different people were “finding the same things with the same tools,” producing what he called “pointless churn.” (kernel.org) His wording matters because he did not call for a ban on AI assistance. Torvalds wrote that “AI tools are great, but only if they actually help,” and said reporters should add something beyond the model’s output. He told would-be reporters to read the documentation, create a patch and “add some real value on top of what the AI did.” (theregister.com) ### Why is the private security list the choke point here? The Linux kernel security process uses a private list at security@kernel.org for bugs that need confidential handling while a fix is verified and prepared. The project’s documentation says the security team helps verify reports and work with developers on a fix, and adds that including a proposed fix can speed the process. (theregister.com) Torvalds argued that AI-found bugs often do not fit that model. He wrote that “AI detected bugs are pretty much by definition not secret,” because the same tools are available broadly and are likely to surface the same issue for multiple people. Keeping those reports private, he said, makes duplication worse because reporters cannot see that others have already submitted the same finding. (kernel.org) ### What does the kernel project already ask bug reporters to do? The kernel’s documentation already sets a higher bar than simply sending a claim. The security-bugs guide says reports require analysis work from developers and asks reporters to provide as much information as possible; it specifically says a proposed fix is valuable because people who studied the source often have a good idea how to repair it. (theregister.com) Separate kernel guidance for AI coding assistants also says AI-assisted contributors must follow the standard development process. That documentation frames AI as a tool inside existing contribution rules, not as a shortcut around them. ### Is this a rejection of AI in open-source security work? Greg Kroah-Hartman, a senior kernel maintainer, recently told The Register that AI has become an “increasingly useful tool” for the free and open-source software community. (docs.kernel.org) Torvalds’ comments sit alongside that view rather than directly against it: both positions allow for AI use, but Torvalds is drawing a line at low-context, duplicative reporting. (docs.kernel.org) The next place this shows up will be in kernel reporting practice, not a product launch. The relevant documents are the Linux kernel’s security-bugs guidance and AI coding assistants guidance, and Torvalds’ May 17 Linux 7.1-rc4 post is now the clearest statement of how maintainers want AI-found bugs handled. (docs.kernel.org) (theregister.com)