Linus Torvalds says flood of duplicate AI-generated vulnerability reports have made Linux security mailing list 'almost entirely unmanageable' — private list 'a waste of time for everybody involved' in switch to new public system

(Image credit: Getty)

Linus Torvalds declared the Linux kernel's private security mailing list "almost entirely unmanageable" on Sunday in his weekly post to the Linux Kernel Mailing List (LKML), blaming a flood of duplicate vulnerability reports generated by researchers running the same AI tools against the same code. The complaint accompanied the release of Linux 7.1-rc4 and a pointer to newly merged documentation that formalizes how AI-assisted bug reports should be handled.The problem, according to Torvalds, is the combination of volume and redundancy: multiple researchers are independently discovering identical bugs using automated tools and filing them separately on a private mailing list, where nobody can see what has already been submitted. Maintainers end up spending their time triaging duplicates and directing reporters to fixes that were merged weeks earlier.This Torvalds-endorsed approach is exactly what fellow maintainer Greg Kroah-Hartman has been doing with his “Clanker T1000” system, a Framework Desktop-powered bug-finding tool: discover the issue, write the fix, take responsibility for the patch, and submit it publicly.Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.