theregister.com via Reddit

Linus Torvalds: AI bug tools broke Linux security list

open source cybersecurity cybersecurity open-source ai-tools

Key insights

  • Multiple AI scanning tools converging on identical kernel findings created duplicate flood reports that overwhelmed maintainer review capacity.
  • Torvalds responded with policy, not bans: new documentation now requires reporters to submit a patch alongside any security disclosure.
  • The episode exposes a structural coordination gap where cheap automated scanning outpaces the human bandwidth required to triage results.

Why this matters

For AI tooling founders, this is a live case study in how deployment scale creates negative externalities on shared infrastructure -- the same dynamics will hit other open-source projects (OpenSSL, curl, the Linux kernel's subsystem lists) as scanning costs approach zero. For security practitioners, it signals that triage burden is now a first-order threat to mailing-list-based disclosure models, potentially delaying response to genuine critical CVEs. For technical leaders evaluating AI-assisted security products, Torvalds' patch-required policy sets a precedent that could propagate across major open-source foundations, raising the compliance bar for any automated disclosure workflow.

Summary

Linus Torvalds has declared the Linux kernel's security mailing list "almost entirely unmanageable" after AI-powered vulnerability scanners flooded it with duplicate, low-quality bug reports. The problem isn't a single bad actor -- it's structural: multiple independent researchers running the same automated scanning tools against the kernel and filing identical findings with no coordination and no patches attached. Torvalds' response wasn't to ban AI tools outright. Instead, he merged new kernel documentation tightening the definition of what qualifies as a security bug and requiring reporters to follow up any disclosure with an actual patch -- not a drive-by report from someone who doesn't understand the code path they're flagging. Essentially: (Linux kernel maintainers, AI vulnerability scanning vendors) are now in direct operational conflict over the cost of low-signal automated reporting. - No single patch fixes the coordination failure -- dozens of researchers independently reaching the same AI-generated finding is a workflow problem, not a kernel bug. - The new documentation creates a higher bar for entry: report without a patch, and your submission may be dismissed. - The mailing list is a shared critical resource; its degradation has real consequences for legitimate security researchers and maintainers triaging actual CVEs. AI-powered scanning is now fast enough and cheap enough to saturate human review capacity in open-source infrastructure, and the Linux kernel is just the first high-profile example.

Potential risks and opportunities

Risks

  • Legitimate critical CVEs could be buried or delayed in triage if the duplicate-report volume continues to grow before the new documentation deters low-effort submissions.
  • AI vulnerability scanning vendors (Semgrep, Snyk, CodeQL-based tools) risk being named and excluded from future responsible disclosure channels if maintainers identify which tools are generating the noise.
  • Other major open-source security mailing lists face the same collapse in manageability within the next 6-12 months if no cross-project coordination standard emerges to gate automated disclosures.

Opportunities

  • Disclosure management platforms (HackerOne, Bugcrowd, Intigriti) could capture kernel and open-source triage workflows by offering AI deduplication and patch-readiness gating before reports reach maintainers.
  • Open-source foundations (Linux Foundation, Apache, CNCF) have a window to establish an industry-wide automated disclosure standard that would define compliant AI scanning behavior and create a new certification market.
  • Static analysis vendors that can differentiate on low false-positive rates and patch-generation capability (Semgrep, Codecarbon, emerging LLM-assisted patch tools) gain a clear positioning advantage as projects make patch-attached disclosure a hard requirement.

What we don't know yet

  • Which specific AI scanning tools or vendors are generating the bulk of the duplicate reports -- none have been named publicly as of May 2026.
  • Whether other critical open-source security channels (OpenSSL, curl, the Linux Foundation's private disclosure list) are experiencing comparable volume spikes from the same tooling.
  • Whether the new kernel documentation policy will be enforceable in practice, given that mailing list submission requires no authentication or prior vetting.

Originally reported by theregister.com

Read the original article →

Original headline: Linus Torvalds Says AI-Powered Bug Hunters Have Made Linux Security Mailing List 'Almost Entirely Unmanageable'