The creator of the operating system is peeved at the “pointless churn”: New rules for AI-aided vulnerability disclosures enacted.
Following the torrent of Linux vulnerabilities detected by people using AI tools, the operating system’s creator, Linus Torvalds, warned in an official post on 17 May that the project’s private security mailing list has become almost unusable because it is being flooded with AI‑generated bug reports.
Many of these submissions are duplicates: different researchers, using similar AI tools, independently find the same vulnerabilities and report them to the same confidential channel, where reporters cannot see each other’s findings.
As a result, according to Torvalds, kernel maintainers are spending most of their time forwarding messages, noting that issues were already fixed, and pointing to existing discussions instead of writing or reviewing code. He called this “pointless churn” and stressed that AI tools are only useful if they genuinely reduce work rather than create extra noise.
In a release note for the Linux 7.1‑rc4 kernel, Torvalds urged security researchers who rely on AI to go beyond simply submitting raw findings: read the Linux documentation, submit proper patches, and add real value on top of what the AI produces instead of sending “drive‑by” reports that lack context or understanding.
At the same time, the project has adopted new internal documentation, written by kernel developer Willy Tarreau, that sets clearer rules for how AI‑assisted vulnerability reports should be handled. The guidance states that AI‑discovered bugs are typically treated as public, since they tend to surface at nearly the same time across multiple teams. The private security list is now reserved for serious, urgent bugs that give attackers abilities they should not have on properly configured production systems and that affect many users.
The new policy also defines which flaws belong in the regular public bug‑tracking channels rather than the private list and insists that reports focus on verified impact, avoid speculation, stay concise, and include working test cases.
The changes come as AI‑driven security research rapidly improves, now uncovering real, long‑standing vulnerabilities. As open‑source projects confront this surge of AI‑aided vulnerability findings, the Linux community’s new rules represent an early attempt to harness the benefits of AI without being overwhelmed by its output.
