The Linux kernel project is implementing stricter rules for AI-assisted bug reports after project leader Linus Torvalds warned that automated security submissions have made the kernel security mailing list almost unmanageable. In his Linux 7.1-rc4 announcement, Torvalds described a continued flood of AI-generated reports, many describing identical flaws discovered by multiple people running the same scanning tools, creating what he called pointless churn that wastes maintainer time on duplicate issues.

The core problem stems from how AI-discovered bugs are being handled. Many researchers have been routing automated findings through the private security mailing list, treating them as sensitive zero-day vulnerabilities requiring confidential handling. However, Torvalds argues that bugs found by widely available automated tools are by definition not secret, since the same tools will flag identical issues for multiple researchers simultaneously. Routing these through private channels only hides duplicates from each other and amplifies the workload.

Ahead of the 7.1 release, the kernel team merged updated security documentation that formally defines what qualifies as a true security vulnerability. The private security list is now explicitly reserved for urgent, easily exploitable bugs that cross clear trust boundaries and affect many users on properly configured production systems. For AI-detected issues, the documentation states they should generally be treated as public because such bugs systematically surface across multiple researchers, often on the same day.

The new guidelines establish strict quality requirements for AI-assisted submissions. Reports must be concise, in plain text, and focus on concrete, verifiable impact rather than speculative scenarios. Contributors must actually reproduce the AI-flagged issue, include a tested reproducer, and ideally propose and test a patch. Torvalds urged contributors to add real value on top of what the AI did rather than sending random reports with no real understanding of the underlying issue.

Kernel maintainers are not rejecting AI tools outright, acknowledging that modern automated analysis helps uncover subtle corner-case bugs. The issue is process management: unfiltered AI-generated reports routed as private security issues burn review bandwidth and slow response to genuine vulnerabilities. Security teams and researchers using automated tools should now submit AI-discovered bugs through public channels, reproduce issues before reporting, and focus on providing high-signal reports with tested patches rather than raw tool output.

Source: https://cybersecuritynews.com/linus-torvalds-on-ai-bug-reports/