Flood of duplicate vulnerability reports have made Linux security mailing list ‘almost entirely unmanageable’ — Linus Torvalds says private list ‘a waste of time for everybody involved’ in switch to new public system

Flood of duplicate vulnerability reports have made Linux security mailing list ‘almost entirely unmanageable’ — Linus Torvalds says private list ‘a waste of time for everybody involved’ in switch to new public system

https://www.tomshardware.com/software/linux/linus-torvalds-says-ai-bug-reports-have-made-the-linux-security-mailing-list-almost-entirely-unmanageable

Publish Date: 2026-05-18 09:34:00

Source Domain: www.tomshardware.com

Linus Torvalds declared the Linux kernel’s private security mailing list “almost entirely unmanageable” on Sunday in his weekly post to the Linux Kernel Mailing List (LKML), blaming a flood of duplicate vulnerability reports generated by researchers running the same AI tools against the same code. The complaint accompanied the release of Linux 7.1-rc4 and a pointer to newly merged documentation that formalizes how AI-assisted bug reports should be handled.

The problem, according to Torvalds, is the combination of volume and redundancy: multiple researchers are independently discovering identical bugs using automated tools and filing them separately on a private mailing list, where nobody can see what has already been submitted. Maintainers end up spending their time triaging duplicates and directing reporters to fixes that were merged weeks earlier.

“AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved,” Torvalds wrote on LKML.

Latest Videos From

You may like

Torvalds pointed developers to the project’s security bug documentation, which states that vulnerabilities found using AI tools should be treated as public disclosures and submitted directly to the relevant maintainers, not routed through the private security list. Reports must be concise, formatted in plain text, and include a verified reproducer.

In March, Willy Tarreau, the creator of HAProxy and a longtime Linux kernel stable maintainer, said in comments posted to LWN that the kernel security mailing list, which received roughly two to three reports per week two years ago, now receives five to 10 reports per day. Most are solid finds, but the duplication across researchers using similar tooling has overwhelmed the existing triage process.

Torvalds urged researchers to go further than filing raw findings. “If you actually want to add value, read the documentation, create a patch…

Source