In his weekly LKML post, Torvalds stated that the project’s privacy list is now “almost unmanageable.” This is because numerous independent researchers are running the same AI tool on the same piece of code, discovering identical bugs, and then submitting reports en masse. Because the list is secure and kept confidential, researchers cannot know if anyone else has reported the bug. As a result, the project’s engineering team spends a significant amount of time sorting through duplicate emails and directing senders to bug fixes that were already weeks old.
“By definition, AI-detected errors are hardly secret. Dealing with them is a waste of time for everyone involved,” Torvalds said.
According to the newly updated Linux kernel documentation, the project now officially requires all vulnerabilities found using AI tools to be treated as public disclosures. Instead of submitting them to a private security list, reporters must send them directly to the engineers maintaining the relevant source code branch. These reports must be concise, in plain text format, and include a verified reproducibility process to demonstrate that the vulnerability is not a fabricated flaw.
Linus Torvalds. Photo: GitHub
According to Tom’s Hardware, the explosion of AI is completely changing the landscape of open-source security. Willy Tarreau, founder of HAProxy, said that two years ago, Linux kernel security email lists received only about 2-3 reports per week, but now they receive 5-10 reports per day. While most errors are real, the large duplication due to the shared use of AI tools has overloaded traditional classification processes.
In light of this situation, Linus Torvalds urged security experts to take greater responsibility instead of simply “sending junk” to developers. “If you really want to contribute value, read the documentation, write a patch yourself based on what the AI finds. Don’t just randomly submit reports without any real-world understanding,” he emphasized.
This approach is being effectively applied by Greg Kroah Hartman, a Linux maintainer. He developed his own AI-powered bug-finding system called Clanker T1000. When a bug is detected, he writes a fix, takes legal responsibility for the source code, and makes the entire process public to the community.
Last month, the Linux kernel project also issued an official policy regarding AI-assisted contributions. According to this policy, the system allows the use of AI-generated code but imposes strict transparency rules. AI entities are not allowed to sign off by tags. Instead, programmers must use Assisted by tags to publicly disclose the tools they use. The policy states that humans are the sole and ultimate legal parties responsible for each line of code or any errors generated by AI when submitted to the system.
The Linux community is one of the largest and most enduring open-source communities in the world, bringing together tens of thousands of programmers, engineers, and technology companies that have contributed to its development over the past three decades. Not owned by a single company, Linux is built on a global collaborative model, with the Linux kernel maintained by the community and distributions like Ubuntu, Debian, and Red Hat developed by various organizations based on that platform.
Thanks to its openness, stability, and high customizability, Linux has become the dominant operating system in modern digital infrastructure, powering the majority of the world’s leading Internet servers and supercomputers, the Android platform on billions of smartphones, as well as cloud computing systems, AI, and embedded devices. This pivotal role means Linux is not just an operating system, but a crucial technical foundation for today’s global digital economy and technology.
Compiled by Huy Duc
EN 
VI
Leave a Reply
You must be logged in to post a comment.