Linus Torvalds: AI-powered bug hunters are making Linux security unmanageable

In a tech landscape driven by ever-increasing automation, Linux kernel creator Linus Torvalds has hit a wall. While checking in on the progress of Linux 7.1, Torvalds didn't just report on the standard development cycle; he issued a stern warning regarding the project’s security mailing list. In my view, this is a classic collision between the excitement of AI-driven tools and the harsh, practical realities of maintaining the world’s most critical open-source software. The security mailing list, he noted, has become almost entirely unmanageable. The core of the problem is a massive influx of duplicate bug reports. Researchers, equipped with the same AI tools, are discovering the same vulnerabilities and flooding the list with redundant submissions. It’s a classic case of efficiency tools creating inefficiency for the human maintainers. As I see it, the issue isn't the AI itself, but the lack of human oversight. These researchers are essentially treating the Linux security list as a dumping ground for raw AI outputs rather than a collaborative space for finding and fixing actual problems. Torvalds expressed frustration that the kernel maintainers are spending all their time forwarding reports, or worse, replying to tell researchers that the bug was already fixed weeks ago. He describes this as “pointless churn”—work that adds no value to the project. It’s an unsustainable drain on the core team's limited time. Why should the people responsible for the stability of the Linux kernel spend their day acting as secretaries for automated bots? This situation begs the question: are these researchers trying to improve security, or are they just trying to boost their own metrics by generating reports? One of the most critical points raised by Torvalds is that AI-detected bugs are, by their very nature, not secret. Treating them on a private security list is a waste of time, especially when the reporters have no visibility into the reports submitted by others. This lack of transparency causes the duplication to spiral out of control. It’s a systemic issue that clearly highlights how the current workflow is not designed to handle the sheer volume of output that modern AI tools can generate. We are essentially witnessing the automation of noise, not the automation of security. Torvalds is not anti-AI, but he is certainly anti-clutter. He offered a clear path forward: use AI tools in a way that actually contributes to the project. He explicitly asked that if someone finds a bug using AI, they should go the extra mile to understand it, create a patch, and add real value. Don't be a “drive-by” reporter who sends in random, unverified data. His message is a call for higher standards in an age where entry-level participation is becoming trivialized by automated tools. I think this is a necessary pushback against the degradation of quality that often accompanies rapid automation. Interestingly, this stance contrasts with comments from fellow kernel maintainer Greg Kroah-Hartman, who has previously praised AI as a useful tool for the FOSS community. This disconnect suggests that the community is still grappling with how to integrate AI effectively. While some see the potential for increased coverage, others see the cost in human productivity. I suspect that as we move forward, we will see more friction between those who want to automate everything and those who are responsible for the resulting workload. It’s a debate that will likely shape the future of open-source development. So, what does this mean for the average developer or security researcher? It’s a wake-up call that quality still matters more than quantity. If you want to contribute to the Linux kernel, you need to do the work. The days of simply pointing out an issue and expecting someone else to fix it—especially when that issue was found by a generic tool—are numbered. I expect the kernel team to eventually implement more stringent filters or requirements for submissions to maintain their sanity. Ultimately, Torvalds is reminding us that tools are only as good as the people who wield them. We have created machines that can find bugs, but we haven't yet created a culture that knows how to manage the output of those machines responsibly. Will the security community step up and refine its approach, or will the Linux kernel maintainers be forced to lock down their communication channels even further? The answer will likely define how we interact with open-source security in the coming years.