Linux founder warns AI bug reports are flooding security channels with 'pointless churn'
The Linux kernel maintainer describes the security mailing list as 'unmanageable' due to duplicate submissions, while GitHub emphasises that bounty payouts favour depth over volume.
Linux founder Linus Torvalds has issued a stark warning regarding the integrity of the Linux security mailing list, stating that a surge in artificial intelligence-generated bug reports has rendered the channel "almost entirely unmanageable." In his most recent state of the kernel post, Torvalds identified "enormous duplication" as the primary issue, noting that different contributors are utilising identical tools to discover the same vulnerabilities.
Torvalds characterised these submissions as "pointless make-believe work" and "drive-by" reports that lack patches or genuine technical understanding. He argued that vulnerabilities detected by AI tools are rarely secret, meaning that treating them on private lists wastes time and exacerbates duplication by preventing reporters from seeing each other’s findings. He described the situation as "entirely pointless churn" that creates unnecessary pain for the community.
The kernel maintainer clarified that while AI tools can be beneficial, they must be used productively. Torvalds urged contributors to validate their findings, reproduce issues, and provide patches to add real value to the ecosystem. He explicitly advised against submitting random reports without real understanding, stating that if a bug is found using AI, the likelihood is that someone else has already identified it.
GitHub senior product security engineer Jarom Brown echoed these sentiments, reinforcing the need for rigorous validation in bug reporting. Brown noted that while GitHub has no issue with the use of AI tools generally, AI-assisted bug reports must be verified and reproduced to be considered useful. He emphasised that an unvalidated output submitted without demonstrated impact does not meet the standard for a great submission.
Brown highlighted a shift in strategy for researchers, encouraging a move from prioritising volume to focusing on depth. He stated that one well-researched, validated finding is worth more than ten speculative ones in terms of both bounty payout and reputation. The researchers who earn the most from GitHub’s program are those who go deep, rather than those who rely on high volumes of unverified AI outputs.
While Torvalds acknowledged that his criticism might not apply to significant findings such as the "Copy Fail" exploit, which affected nearly every Linux distro, his core message remains focused on quality over quantity. He concluded that AI should be used in a way that improves the experience for everyone involved, rather than causing disruption through duplicate, unverified reports.
The comments from both Torvalds and Brown underscore a growing tension in the cybersecurity community as AI tools become more prevalent. The consensus from these key figures is clear: automation should augment human expertise, not replace the rigorous validation and deep research required to maintain the security of critical infrastructure like the Linux kernel.
