Linus Torvalds says AI bug hunters have ruined Linux security mailing list
Linus Torvalds warns AI‑generated bug reports are overwhelming the Linux security mailing list with duplication and noise
He urged researchers to add real value by creating patches instead of submitting random automated findings
Similar concerns have already led projects like curl and HackerOne’s Internet Bug Bounty Team to shut down or restrict bug bounty programs
The
Linux
security mailing list is now “almost entirely unmanageable”, since researchers started using Artificial Intelligence (AI) to flood it with useless reports, lead maintainer Linus Torvalds has warned.
After describing the latest release candidate as “fairly normal” in his latest weekly state of the kernel post, addressing things like drivers, networking, core kernel, and more, Torvalds stressed that “some of the documentation updates might be worth highlighting.”
“The continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools,” he said. “People spend all their time just forwarding things to the right people or saying "that was already fixed a week/month ago" and pointing to the public discussion”.
You may like

Linux rules on using AI-generated code - Copilot is OK, but humans must take 'full responsibility for the contribution'

Over 29 million secrets were leaked on GitHub in 2025, and AI really isn't helping

Hackers used AI to discover and weaponize a zero-day for the first time
Entirely pointless churn
Torvalds stressed these reports are “entirely pointless churn”, since most of the bugs
AI tools
detects are “pretty much by definition not secret”, and that reporting that “only makes duplication worse”.
Besides complaining, Torvalds also gave a few concrete pointers, telling researchers to use AI “in a way that is productive and makes for a better experience”:
“The documentation may be a bit less blunt than I am, but that's the core gist of it,” he concluded. “If you actually want to add value, read the documentation, create a patch too, and add some real value on *top* of what the AI did. Don't be the drive-by "send a random report with no real understanding" kind of person.”
Torvalds is not the first person to point to people using AI to cause a flood of pointless reports. In late January this year, the developers of curl, the open source command-line tool and software library, announced they were
killing their HackerOne bug bounty program
for the same reasons.
HackerOne also recently reported the Internet Bug Bounty Team, which it manages, would no longer reward researchers who identify and reward bugs.

➡️
Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News
and
add us as a preferred source
to get our expert news, reviews, and opinion in your feeds.
