- Linus Torvalds warns AI‑generated bug reports are overwhelming the Linux security mailing list with duplication and noise
- He urged researchers to add real value by creating patches instead of submitting random automated findings
- Similar concerns have already led projects like curl and HackerOne’s Internet Bug Bounty Team to shut down or restrict bug bounty programs
The Linux security mailing list is now “almost entirely unmanageable”, since researchers started using Artificial Intelligence (AI) to flood it with useless reports, lead maintainer Linus Torvalds has warned.
After describing the latest release candidate as “fairly normal” in his latest weekly state of the kernel post, addressing things like drivers, networking, core kernel, and more, Torvalds stressed that “some of the documentation updates might be worth highlighting.”
“The continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools,” he said. “People spend all their time just forwarding things to the right people or saying “that was already fixed a week/month ago” and pointing to the public discussion”.
Entirely pointless churn
Torvalds stressed these reports are “entirely pointless churn”, since most of the bugs AI tools detects are “pretty much by definition not secret”, and that reporting that “only makes duplication worse”.
Besides complaining, Torvalds also gave a few concrete pointers, telling researchers to use AI “in a way that is productive and makes for a better experience”:
“The documentation may be a bit less blunt than I am, but that’s the core gist of it,” he concluded. “If you actually want to add value, read the documentation, create a patch too, and add some real value on *top* of what the AI did. Don’t be the drive-by “send a random report with no real understanding” kind of person.”
Torvalds is not the first person to point to people using AI to cause a flood of pointless reports. In late January this year, the developers of curl, the open source command-line tool and software library, announced they were killing their HackerOne bug bounty program for the same reasons.
HackerOne also recently reported the Internet Bug Bounty Team, which it manages, would no longer reward researchers who identify and reward bugs.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/LiA4XFi5pzjr8xhKbToVSo-2137-80.jpg
Source link
