- Linus Torvalds Warns of AI-Generated Bug Reports Overwhelming Linux Security Mailing List with Duplication and Noise
- He encouraged researchers to add real value by creating patches instead of submitting random automated finds
- Similar concerns have already led projects like curl and HackerOne’s Internet Bug Bounty Team to close or limit bug bounty programs
The Linux security mailing list is now “almost completely unmanageable” since researchers started using artificial intelligence (AI) to flood it with useless reports, lead maintainer Linus Torvalds has warned.
After describing the latest release candidate as “pretty normal” in his latest weekly state of the kernel post, addressing things like drivers, networking, the kernel and more, Torvalds emphasized that “some of the documentation updates might be worth highlighting.”
“The constant flow of AI reports has basically made the security list almost completely unmanageable, with huge duplication due to different people finding the same things with the same tools,” he said. “People spend all their time just forwarding things to the right people or saying “it was already fixed a week/month ago” and pointing to the public discussion”.
Totally pointless churn
Torvalds stressed that these reports are “completely pointless churn”, as most of the bugs AI tools detect are “pretty much by definition not secret”, and the reporting that “only makes duplication worse”.
Besides complaining, Torvalds also offered a few concrete tips, telling researchers to use AI “in a way that is productive and provides a better experience”:
“The documentation might be a bit less tight than I am, but that’s the gist of it,” he concluded. “If you actually want to add value, read the documentation, also make a patch and add some real value on top of what the AI did. Don’t “send a random report with no real understanding” as a person.”
Torvalds is not the first person to point to people using artificial intelligence to cause a flood of meaningless reports. In late January of this year, the developers of curl, the open source command-line tool and software library, announced that they were killing their HackerOne bug bounty program for the same reasons.
HackerOne also recently reported that the Internet Bug Bounty Team, which it manages, would no longer reward researchers who identify and reward bugs.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
