When Linus Torvalds released Linux 7.1-rc4 on May 17, he bluntly stated in the weekly LKML newsletter that the private Linux kernel security mailing list had become “almost entirely unmanageable” due to the sheer volume of duplicate vulnerability reports generated by AI tools. He explained that multiple researchers using identical AI scanning tools kept discovering the same flaws and submitting them independently to the private list, resulting in “a massive amount of duplication.” Maintainers were forced to spend endless hours forwarding these reports to the right people or repeatedly replying that “the flaw was fixed a week/month ago.” Torvalds also pointed out that vulnerabilities identified by AI “are almost by definition not secret at all,” making it “a waste of everyone’s time” to route them to the private list — which should be reserved for genuine, urgent zero-day issues.
In response, the Linux kernel security team updated its documentation to explicitly state that AI-discovered flaws should be treated as publicly known and submitted directly to relevant maintainers; reports must be brief, plain-text, and include steps enabling easy reproduction. Statistically, Willy Tarreau, the kernel stable maintainer, revealed last March that daily submissions to the security list have surged from just 2–3 per week two years ago to 5–10 today. Torvalds’ advice is straightforward: if you spot a flaw using AI tools, go ahead and submit a fix patch too — “add real value on top of what the AI does” instead of acting as “a random contributor who just sends reports without truly understanding the problem.” Meanwhile, fellow kernel maintainer Greg Kroah-Hartman previously demonstrated the proper approach using his local AI bot “Clanker T1000”: identify a flaw, craft a fix, and sign the submission as a human.