'The continued flood of AI reports has basically made the security list almost entirely unmanageable': Linus Torvalds laments how people are wasting the Linux team's time with LLMs

Linus Torvalds has publicly criticized the Linux development community for flooding the kernel's security reporting channels with AI-generated vulnerability reports that go nowhere. The Linux creator says the sheer volume of these LLM-generated submissions has rendered the security list "almost entirely unmanageable."

Torvalds isn't categorically opposed to AI tools. His complaint centers on how developers use language models to identify potential issues, then submit them without proper validation or follow-up work. This creates noise that buries legitimate security concerns and wastes the time of kernel maintainers who must sort through mountains of unvetted reports.

The problem reflects a broader tension in open-source development. AI tools like ChatGPT excel at pattern matching and can flag suspicious code segments. However, they frequently generate false positives and require human expertise to confirm whether a flagged issue represents an actual vulnerability or a misunderstanding of the code's intent. When submitters abandon their findings after the initial AI report, maintainers inherit the burden of determining legitimacy.

For Linux, this timing matters. The kernel receives thousands of patches monthly from contributors worldwide. Adding unverified AI-generated reports to the security list stretches an already resource-constrained team. Kernel maintainers operate largely on volunteer time and must prioritize real vulnerabilities. Wading through noise delays responses to actual threats.

Torvalds' frustration mirrors concerns across open-source projects. While AI tools democratize vulnerability research by lowering technical barriers to entry, they also risk degrading the signal-to-noise ratio in critical communication channels. The issue isn't whether developers should use AI for security research. The issue is accountability. Submitters need to validate findings before reporting them, understand the code context, and be prepared to engage with maintainers on follow-ups.

The Linux kernel's security ecosystem depends on trust and active participation. AI