{"id":248487,"date":"2026-05-18T09:34:00","date_gmt":"2026-05-18T13:34:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/18\/flood-of-duplicate-vulnerability-reports-have-made-linux-security-mailing-list-almost-entirely-unmanageable-linus-torvalds-says-private-list-a-waste-of-time-for-everybody-involved-in-swi\/"},"modified":"2026-05-18T11:25:20","modified_gmt":"2026-05-18T15:25:20","slug":"flood-of-duplicate-vulnerability-reports-have-made-linux-security-mailing-list-almost-entirely-unmanageable-linus-torvalds-says-private-list-a-waste-of-time-for-everybody-involved-in-swi","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/18\/flood-of-duplicate-vulnerability-reports-have-made-linux-security-mailing-list-almost-entirely-unmanageable-linus-torvalds-says-private-list-a-waste-of-time-for-everybody-involved-in-swi\/","title":{"rendered":"Flood of duplicate vulnerability reports have made Linux security mailing list &#8216;almost entirely unmanageable&#8217; \u2014 Linus Torvalds says private list &#8216;a waste of time for everybody involved&#8217; in switch to new public system"},"content":{"rendered":"<p><a href=\"https:\/\/www.tomshardware.com\/software\/linux\/linus-torvalds-says-ai-bug-reports-have-made-the-linux-security-mailing-list-almost-entirely-unmanageable\">Flood of duplicate vulnerability reports have made Linux security mailing list &#8216;almost entirely unmanageable&#8217; \u2014 Linus Torvalds says private list &#8216;a waste of time for everybody involved&#8217; in switch to new public system<\/a><\/p>\n<p><a href=\"https:\/\/www.tomshardware.com\/software\/linux\/linus-torvalds-says-ai-bug-reports-have-made-the-linux-security-mailing-list-almost-entirely-unmanageable\">https:\/\/www.tomshardware.com\/software\/linux\/linus-torvalds-says-ai-bug-reports-have-made-the-linux-security-mailing-list-almost-entirely-unmanageable<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-18 09:34:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.tomshardware.com\">www.tomshardware.com<\/a><\/p>\n<p id=\"elk-7e46b7cd-565d-4de6-8dea-da6e8641347b\">Linus Torvalds declared the Linux kernel&#8217;s private security mailing list &#8220;almost entirely unmanageable&#8221; on Sunday in his weekly post to the Linux Kernel Mailing List (LKML), blaming a flood of duplicate vulnerability reports generated by researchers running the same AI tools against the same code. The complaint accompanied the release of Linux 7.1-rc4 and a pointer to newly merged documentation that formalizes how AI-assisted bug reports should be handled.<\/p>\n<p>The problem, according to Torvalds, is the combination of volume and redundancy: multiple researchers are independently discovering identical bugs using automated tools and filing them separately on a private mailing list, where nobody can see what has already been submitted. Maintainers end up spending their time triaging duplicates and directing reporters to fixes that were merged weeks earlier.<\/p>\n<p id=\"elk-7e46b7cd-565d-4de6-8dea-da6e8641347b-2\" class=\"paywall\" aria-hidden=\"true\">&#8220;AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved,&#8221; Torvalds wrote on LKML.<\/p>\n<p><span class=\"inline-flex items-center gap-1.5 text-sm font-article-heading capitalize leading-5 text-white whitespace-nowrap\"><span class=\"jwp-carousel-title-mobile\"\/><span class=\"jwp-carousel-title-desktop\">Latest Videos From<\/span><span class=\"jwp-carousel-brand inline-flex items-center\" aria-hidden=\"true\"><\/span><\/span><img decoding=\"async\" src=\"https:\/\/www.tomshardware.com\/media\/img\/brand_logo.svg\" alt=\"\" class=\"max-h-12 w-auto\" aria-hidden=\"true\"\/><br \/>\n        <span class=\"\n            flex\n            after:content-[''] after:flex-1 after:ml-4 after:my-[0.7rem] after:border-t after:border-solid after:border-t-[#ccc]\n            before:content-[''] before:flex-1 before:mr-4 before:my-[0.7rem] before:border-t before:border-solid before:border-t-[#ccc]\n            font-article-heading pb-0 text-[length:var(--article-river-title--font-size,1em)] uppercase sm:text-[length:var(--article-river-title--font-size,0.875em)] font-bold\n        \"><br \/>\n            You may like<br \/>\n        <\/span><\/p>\n<p class=\"paywall\" aria-hidden=\"true\">Torvalds pointed developers to the project&#8217;s security bug documentation, which states that vulnerabilities found using AI tools should be treated as public disclosures and submitted directly to the relevant maintainers, not routed through the private security list. Reports must be concise, formatted in plain text, and include a verified reproducer.<\/p>\n<p class=\"paywall\" aria-hidden=\"true\">In March, Willy Tarreau, the creator of HAProxy and a longtime Linux kernel stable maintainer, said in comments posted to LWN that the kernel security mailing list, which received roughly two to three reports per week two years ago, now receives five to 10 reports per day. Most are solid finds, but the duplication across researchers using similar tooling has overwhelmed the existing triage process.<\/p>\n<p class=\"paywall\" aria-hidden=\"true\">Torvalds urged researchers to go further than filing raw findings. &#8220;If you actually want to add value, read the documentation, create a patch&#8230;<\/p>\n<p><a href=\"https:\/\/www.tomshardware.com\/software\/linux\/linus-torvalds-says-ai-bug-reports-have-made-the-linux-security-mailing-list-almost-entirely-unmanageable\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Flood of duplicate vulnerability reports have made Linux security mailing list &#8216;almost entirely unmanageable&#8217; \u2014&#8230;<\/p>\n","protected":false},"author":1,"featured_media":248488,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cdn.mos.cms.futurecdn.net\/PsBif9wzYJo8Yoq4ip9TRc-2000-80.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[71,57,27],"class_list":["post-248487","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/248487"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=248487"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/248487\/revisions"}],"predecessor-version":[{"id":248489,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/248487\/revisions\/248489"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/248488"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=248487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=248487"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=248487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}