How did Linus Torvalds describe AI bug reports?

Linus Torvalds: AI reports made Linux security list “unmanageable”

Linus Torvalds said AI-generated bug reports have flooded the Linux security mailing list, making it “almost entirely unmanageable.” His comments focus less on whether AI bug-hunting can be useful and more on the operational burden created by low-signal duplication.

In his assessment, the volume and repetitiveness of AI-submitted reports overwhelm maintainers’ ability to triage issues effectively. The underlying problem is not that every report is useless, but that the security list becomes noisy when many entries cover the same underlying problems or arrive without sufficient value.

Torvalds’ stance matters because the Linux security process depends heavily on expert review, curated reporting, and careful handling of vulnerabilities—especially for submissions that can affect timelines for fixes and advisories. If the queue is dominated by duplicates, genuine high-quality reports may be delayed.

He also indicated a path forward: AI tools are “great,” but bug reporters should add real value rather than just generate plausible-sounding reports. The implication is that improving quality—by reducing duplication, increasing evidence, and providing clearer reproduction details—would make AI-assisted submissions more workable for maintainers.

For the broader open-source ecosystem, Torvalds’ warning is a signal that AI-assisted security research is arriving with unintended scaling problems. As more developers use automation to draft reports, maintainers may need stronger filters and clearer guidelines on what constitutes actionable, non-duplicative disclosure.

In short, Torvalds is calling for fewer but better reports, warning that the current influx of AI-driven submissions threatens the practicality of Linux’s security triage pipeline.