Linus Torvalds, the creator of the Linux kernel, has warned that a surge in bug reports generated by artificial intelligence tools is overwhelming the project's security mailing list and creating unnecessary duplication.
In his most recent state of the kernel address, Torvalds described how reports without accompanying fixes and repeated discoveries of identical issues by different researchers using the same AI tools have turned the list into what he called an "almost entirely unmanageable" channel.
"The continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools," Torvalds said, according to coverage in The Register.
He emphasized that AI-detected bugs are rarely secret because multiple people are likely to uncover the same problems with similar tools. "If you found a bug using AI tools, the chances are somebody else found it too," Torvalds stated, adding that such duplicate submissions represent "entirely pointless churn."
Torvalds made clear that the Linux development team will no longer treat AI-generated findings as confidential. "We're making it clear that AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved," he said.
The Linux founder encouraged researchers to go beyond simply forwarding AI output. "If you actually want to add value, read the documentation, create a patch too, and add some real value on top of what the AI did," Torvalds advised. "Don't be the drive-by 'send a random report with no real understanding' kind of person."
He acknowledged that AI tools can be useful when applied productively. "AI tools are great, but only if they actually help, rather than cause unnecessary pain and pointless make-believe work," Torvalds wrote. "Feel free to use them, but use them in a way that is productive and makes for a better experience."
One notable exception Torvalds referenced was the recent "Copy Fail" exploit, which was identified with AI assistance and impacted nearly every major Linux distribution. That case stood out because it included verification and broader impact analysis rather than raw tool output.
Similar concerns have surfaced elsewhere in the open-source ecosystem. GitHub senior product security engineer Jarom Brown addressed a comparable wave of AI-assisted submissions on the company's bug bounty program.
"An AI-assisted finding that's been verified, reproduced, and submitted with a working proof of concept is a great submission," Brown said. "An unvalidated output submitted as-is without reproduction or demonstrated impact is not."
Brown urged researchers to prioritize quality over quantity. "If you've been prioritizing volume, we'd encourage a shift toward depth," he noted. "One well-researched, validated finding is worth more than 10 speculative ones, both in bounty payout and reputation."
The Linux kernel project relies on a distributed network of developers who review patches and security reports through public and private mailing lists. The security list in particular handles sensitive vulnerability disclosures before they become public.
Torvalds' comments reflect ongoing tensions in open-source communities as automated tools become more accessible to a wider range of contributors. While the technology can surface issues quickly, maintainers must still dedicate time to triage and verify each report.
Industry observers expect continued discussion about best practices for AI use in security research, particularly around validation requirements and disclosure norms. Torvalds' direct guidance aims to reduce noise while preserving the collaborative spirit that has sustained Linux development for decades.