In his weekly Linux kernel post, Linus Torvalds says “AI tools are great” but duplicate bug reports have made the security list “almost entirely unmanageable”
Multiple researchers using the same tools to find the same bugs are creating ‘unnecessary pain and pointless work’
Context & Ripple Effects
Maintainers had already reported that easy access to LLMs was producing low-quality, AI-assisted bug submissions in projects such as curl. This report extends that problem to the Linux kernel’s security process, where duplicate findings are consuming scarce review capacity.
The issue is not that AI tools cannot find bugs; Torvalds remains positive about their eventual utility. The immediate failure is submission quality and coordination: many users can surface the same issue without a mechanism to consolidate it before it reaches maintainers.
First-order effects
- Kernel security-list participants must spend more time identifying and closing duplicate reports, reducing the attention available for novel vulnerabilities and fixes.
- Researchers using AI-assisted discovery face a higher bar to verify novelty and usefulness before submitting findings to the kernel project.
Second-order effects
- Open-source projects and bug-bounty operators are likely to strengthen intake controls—such as duplicate detection, validation requirements, and automated triage—to protect maintainers from report volume.
- Tool users and vendors have an incentive to add workflow features that check known issues and help substantiate findings, rather than optimizing solely for the number of reports generated.
Third-order effects
- If unfiltered AI-assisted reporting persists, maintainer time becomes a sharper bottleneck in open-source security, potentially shifting projects toward more gated disclosure channels and fewer open contribution paths.
- The durable differentiator for AI security tooling may move from bug discovery alone to trusted prioritization, deduplication, and evidence generation; whether this reduces burden depends on maintainers accepting those systems.
The trend: AI is lowering the cost of generating security findings faster than open-source projects can validate and route them, making contribution-quality infrastructure increasingly central to software security.