- Linus Torvalds warns that AI-generated bug reports are flooding the Linux security mailing list with duplication and noise
- He urged researchers to add real value by creating patches rather than submitting random automated findings.
- Similar concerns have already led projects like curl and HackerOne’s Internet Bug Bounty Team to shut down or restrict bug bounty programs.
The Linux security mailing list is now “almost completely unmanageable” since researchers began using Artificial Intelligence (AI) to flood it with useless reports, maintainer Linus Torvalds warned.
After describing the latest release candidate as “pretty average” in his latest weekly Kernel Status post, addressing things like drivers, networking, core kernel, and more, Torvalds emphasized that “some of the documentation updates might be worth highlighting.”
“The continuing deluge of AI reports has basically made the security list almost completely unmanageable, with enormous duplication due to different people finding the same things with the same tools,” he said. “People spend all their time forwarding things to the right people or saying ‘that was fixed a week or a month ago’ and pointing out the public discussion.”
Completely useless rotation
Torvalds emphasized that these reports are “a completely useless churn,” since most bugs that AI tools detect are “virtually by definition non-secret,” and that reporting that “only makes the duplication worse.”
In addition to complaining, Torvalds also gave some concrete advice, asking researchers to use AI “in a way that is productive and provides a better experience”:
“The documentation may be a little less forceful than me, but that is the essential thing,” he concluded. “If you really want to add value, read the documentation, create a patch as well, and add some real value on top of what the AI did. Don’t be the kind of person who goes “send a random report without any real understanding.”
Torvalds is not the first person to point out that people are using AI to cause an avalanche of useless reports. In late January of this year, the developers of curl, the open source command-line tool and software library, announced that they were eliminating their HackerOne bug bounty program for the same reasons.
HackerOne also recently reported that the Internet Bug Bounty Team, which it runs, would no longer reward researchers who identify and reward bugs.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
