Linux founder Linus Torvalds said in his most recent state of the kernel post that “the continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools,” as The Register reports.
Linus Torvalds says Linux security list is becoming ‘unmanageable’ due to AI bug reports
Reports without fixes, and people finding the ‘same things with the same tools,’ are causing a logjam.
Reports without fixes, and people finding the ‘same things with the same tools,’ are causing a logjam.
Image: Cath Virginia / The Verge, Getty Images
is a news writer covering all things consumer tech. Stevie started out at Laptop Mag writing news and reviews on hardware, gaming, and AI.
That probably doesn’t apply to stuff like the “Copy Fail” exploit, which was detected with help from AI and affected nearly every Linux distro.
“The documentation may be a bit less blunt than I am,” Torvalds said. “So just to make it really clear: if you found a bug using AI tools, the chances are somebody else found it too.” He called the duplicate bug reports “entirely pointless churn,” stating:
We’re making it clear that AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved - and only makes that duplication worse because the reporters can’t even see each other’s reports.
AI tools are great, but only if they actually help, rather than cause unnecessary pain and pointless make-believe work. Feel free to use them, but use them in a way that is productive and makes for a better experience.
Torvalds went on to add, “If you actually want to add value, read the documentation, create a patch too, and add some real value on top of what the AI did. Don’t be the drive-by ‘send a random report with no real understanding’ kind of person.” GitHub senior product security engineer Jarom Brown similarly responded to a wave of AI bug reports recently, saying that while GitHub has “no problem” with AI tools in general, AI-assisted bug reports need to be validated to be useful.
An AI-assisted finding that’s been verified, reproduced, and submitted with a working proof of concept is a great submission. An unvalidated output submitted as-is without reproduction or demonstrated impact is not… If you’ve been prioritizing volume, we’d encourage a shift toward depth. One well-researched, validated finding is worth more than 10 speculative ones, both in bounty payout and reputation. The researchers who earn the most from our program are the ones who go deep.
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
Most Popular
Most Popular
