AI was thought to be useful in uncovering bugs and security vulnerabilities, but its extensive use is leading to some unexpected problems.
Linux creator Linus Torvalds has raised a sharp warning about the state of the kernel’s security reporting process. In an email sent on May 17, 2026, announcing the Linux 7.1-rc4 release candidate, Torvalds went beyond the routine changelog update to call out a growing dysfunction: AI-generated bug reports are overwhelming the Linux security mailing list, and the volume has made it “almost entirely unmanageable.”
The Problem: Volume Without Value
The core issue, as Torvalds describes it, is duplication. Different people are running the same AI tools against the same codebase and independently reporting the same findings — each unaware the others have done so too. Maintainers are now spending the bulk of their time either routing reports to the right people or explaining that the issue was already fixed weeks or months ago. “Which is all entirely pointless churn,” Torvalds wrote.
This is part of a broader pattern. AI’s dramatic rise as a coding tool has brought real productivity gains, but it has also created pressure and noise in places where infrastructure wasn’t built to absorb it. GitHub, for instance, has been struggling with outages caused by the sheer volume of AI agents hammering its systems — a stress test its architecture was never designed for.
Treating AI-Found Bugs As Secret Is Pointless
Torvalds made a pointed argument about how AI-detected bugs should be handled. Because AI tools are available to anyone, any vulnerability they surface is, by definition, likely to be found by multiple people. Treating such reports as confidential — routing them through a private security list — only amplifies the duplication problem, since reporters can’t even see each other’s submissions.
His conclusion: AI-detected bugs are “pretty much by definition not secret,” and handling them as though they were is a waste of time for everyone involved.
A Call For Accountability, Not A Ban
Torvalds is not asking people to stop using AI tools. His message is about how they’re used. The value of AI in security research isn’t the discovery alone — it’s what the reporter does next. “If you found a bug using AI tools, the chances are somebody else found it too,” he wrote. “If you actually want to add value, read the documentation, create a patch too, and add some real value on top of what the AI did.”
The alternative — firing off a report with no real understanding of the underlying code — is exactly what he’s asking people not to do. AI, in his framing, should be the beginning of the work, not a substitute for it.
The Bigger Picture
This tension isn’t unique to Linux. As AI takes on a growing share of coding work across the industry, questions about quality, accountability, and human oversight are becoming harder to ignore. Torvalds’ frustration is a reminder that the real challenge with AI tools isn’t capability — it’s judgment. Tools that generate output faster than humans can review it create bottlenecks and noise just as easily as they create value.
For the Linux kernel’s security process, the fix is straightforward: contribute something AI can’t — understanding, a patch, context. For the broader industry, the lesson is the same.