New kernel documentation now formally requires AI-found bugs to be reported publicly.
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works .
The problem, according to Torvalds, is the combination of volume and redundancy: multiple researchers are independently discovering identical bugs using automated tools and filing them separately on a private mailing list, where nobody can see what has already been submitted. Maintainers end up spending their time triaging duplicates and directing reporters to fixes that were merged weeks earlier.
"AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved," Torvalds wrote on LKML.
Linux lays down the law on AI-generated code, says yes to Copilot, no to AI slop, and humans take the fall for mistakes
Linux kernel's ‘second-in-command’ uses local AI bot to hunt bugs, powered by 'clanker' system with AMD's Ryzen AI Max+
90-day vulnerability disclosure may be dead due to AI, leaving systems exposed to zero-day attacks
Torvalds pointed developers to the project's security bug documentation, which states that vulnerabilities found using AI tools should be treated as public disclosures and submitted directly to the relevant maintainers, not routed through the private security list. Reports must be concise, formatted in plain text, and include a verified reproducer.
In March, Willy Tarreau, the creator of HAProxy and a longtime Linux kernel stable maintainer, said in comments posted to LWN that the kernel security mailing list, which received roughly two to three reports per week two years ago, now receives five to 10 reports per day. Most are solid finds, but the duplication across researchers using similar tooling has overwhelmed the existing triage process.
Torvalds urged researchers to go further than filing raw findings. "If you actually want to add value, read the documentation, create a patch too, and add some real value on top of what the AI did," he wrote. "Don't be the drive-by 'send a random report with no real understanding' kind of person."
This Torvalds-endorsed approach is exactly what fellow maintainer Greg Kroah-Hartman has been doing with his “Clanker T1000” system , a Framework Desktop-powered bug-finding tool: discover the issue, write the fix, take responsibility for the patch, and submit it publicly.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/software/linux/SPONSORED_LINK_URL
- https://www.tomshardware.com/software/linux/linus-torvalds-says-ai-bug-reports-have-made-the-linux-security-mailing-list-almost-entirely-unmanageable#main
- https://www.tomshardware.com
- Tag, You’re It: GeForce NOW Levels Up Game Discovery With Xbox Game Pass and Ubisoft+ Labels
- NVIDIA and ServiceNow Partner on New Autonomous AI Agents for Enterprises
- NVIDIA and SAP Bring Trust to Specialized Agents
- NVIDIA, Ineffable Intelligence Team Up to Build the Future of Reinforcement Learning Infrastructure
- Tag, You’re It: GeForce NOW Levels Up Game Discovery With Xbox Game Pass and Ubisoft+ Labels
Informational only. No financial advice. Do your own research.