Linus Torvald Says AI Bugs Make Security List 'Unmanageable'

It is no secret that frontier AI has changed the bug hunting game forever. 

Mythos and GPT 5.4-cyber have erected industry coalitions in their own right to handle the onslaught of new vulnerabilities and to secure the software infrastructure. 

The predicted AI vulnerability storm or “vulnpocalypse”, is manifesting itself within open source technologies, as Linus Torvalds, industry legend and creator of Linux kernel, posted on his Linux Kernel Mailing List (LKML), calling the security list “almost entirely unmanageable”. 

Linus notes: “The continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools.”

New documentation on AI bugs

As developers around the world point AI at code, the same vulnerabilities are reported multiple times – as a solution to which the LKML post had a pointer to new documentation that formalises how AI-assisted bug reports should be handled.

“People spend all their time just forwarding things to the right people or saying ‘that was already fixed a week/month ago’ and pointing to the public discussion,” Linus says. 

He argues that this is “all entirely pointless churn” and that AI detected vulnerabilities are by definition “not secret”. 

Linus says that “treating them on some private list is a waste of time for everybody involved - and only makes that duplication worse because the reporters can't even see each other's reports.”

This redundancy costs valuable time, as maintainers triage through duplications that were already fixed. 

This is why Linus suggests treating vulnerabilities discovered using AI tools as public disclosures, which are submitted directly to the relevant maintainers, as he admonishes their inclusion within the private security list. 

The influx of bug reports

Creator of HAProxy, Willy Tarreau previously commented on the scale of the emerging problem.

The security mailing list, which used to get around two to three reports per week, two years ago, today has to deal with five to 10 reports per day. 

Most of which are very solid security flaws but the bug redundancy across the reports still overwhelm the current triage process.

“AI tools are great but only if they actually help, rather than cause unnecessary pain and pointless make-believe work,” Linus adds. 

“Feel free to use them but use them in a way that is productive and makes for a better experience.”

The suggestion from Linus is hence not to bin AI entirely but to add to it, instead of simply regurgitating the AI output.   

“So just to make it really clear: if you found a bug using AI tools, the chances are somebody else found it too. If you actually want to add value, read the documentation, create a patch too and add some real value on top of what the AI did,” he says. 

As Linus says: “Don't be the drive-by ‘send a random report with no real understanding’ kind of person.”