Overview
- Linus Torvalds warned in his latest kernel update that the private Linux security mailing list is overwhelmed by duplicate vulnerability reports produced by people running the same AI tools against the same code.
- He said maintainers now spend time forwarding messages and telling reporters that issues were already fixed in public code, which leaves less time to write and review actual patches.
- The note arrived with Linux 7.1-rc4 and a pointer to newly merged documentation that explains how to handle AI-assisted bug reports.
- The guidance tells reporters that AI-found issues are usually not secret, urges them to post in public, and asks them to add value by proposing a patch rather than sending a drive-by report.
- Fellow maintainer Greg Kroah-Hartman offers a model the project favors, using tools to spot a bug, writing the fix, taking responsibility for the patch, and submitting it on the public list.