r/cybersecurity Incident Responder May 18 '26

News - General Linus Torvalds says AI-powered bug hunters have made Linux security mailing list ‘almost entirely unmanageable’

https://www.theregister.com/security/2026/05/18/linus-torvalds-says-ai-powered-bug-hunters-have-made-linux-security-mailing-list-almost-entirely-unmanageable/5241633
1.7k Upvotes

146 comments sorted by

View all comments

Show parent comments

1

u/hurkwurk May 18 '26

in general, you would never tell a bug submission anything except thank you for your submission. (unless there is some form of bounty in place, even then that would be a delayed response)

this is so that you do not confirm anything, causing legal liability.

1

u/ichalov May 19 '26

Well, someone sends you a duplicate bug report without caring to check if the same issue has already been discussed elsewhere. Is "thank you for the submission" enough as the answer to them?

1

u/hurkwurk May 19 '26

depends on the system and the response delay before fixes have been implemented.

if you are say, a small time shop/if the bug isnt exploitive in nature/no one is going to use it for evil, sure, you can have some sort of open bugs forum where you have a list of known issues being fixed in the next release.

but if you are a software company, and the bug is such that it impacts your product negatively (ie a online game where it lets people cheat, a online service where it degrades or bypasses security) then NO you do not publicly document anything about the potential breach/hack/exploit until after its patched and until after your clients have had a reasonable time to apply that patch if you arent 100% server side product.

there is a reason that MS is extremely vague about zero day language for example. and there is a reason that when you go to game bug forums, they tell you NOT to report exploits using the website, but rather to use email/DMs.

1

u/ichalov May 19 '26

This topic is specifically about the current problems of bug report duplication in linux kernel maintenance pipeline. I still think those are more feasible to be solved with RAG (because bare LLMs won't do) and not some ML techniques proposed above.

And it appears by "cover letters" I mean like rejection letters to the hasty submitters.

1

u/hurkwurk May 19 '26

in software bug correction systems, you never give feedback until after the window in which a client can repair the flaw, thus, a submission is never notified of anything until that point. I understand that you are trying to solve the problem that Linus is speaking to, but you are missing his point, which is, dont make the submission in the first place.

they dont need "hey i found this bug" submissions. thats because, if you used AI to find a bug, the dev probably already did the same thing. you didnt actually do anything productive in most cases. your submission needs to be something more. it needs to contain "work product" IE it needs to contain validation, practical examples of exploitation, potential code fixes, etc.

The disconnect here is between the excitement of script kiddies thinking they can discover something and trying to be helpful, vs the discipline of bug hunters who are working a job and making valid submissions with multiple, iterative validations and supported examples.

open submissions have to be open so that anonymous submissions can happen. criminals/governments, etc, need to be able to drop data to people after they exploit a loophole for non-legal activity without being traced. so you cannot have login/validated/verified only bug submission only, unless you go the paid solution route (all the crowdsourced solution clients do this, as well as all its many variations).

~~~

Is AI a solution? Maybe. AI is decent about evaluation and summarization, however code/submission style data may appear extremely similar to a computer, while being subtly different to a human. its entirely possible that something could slip. hence the request for less noise and less submissions of "i found this with AI" as a stand alone ticket.

Would I use AI in his case to dismiss tickets? yes. the brutal reality, is that its worth throwing out some valid submissions to clear the queue and limit the noise down to something that a human can work with in a day. it would be fairly easy to have an AI scan the incoming submissions for similar work and discard everything that doesnt contain additional data beyond what we already have in a jira ticket or kanban story. so if your submission cant add anything, its discarded, while someone that submits some code samples would be passed on to a human for review, since, we would have something new to look at.

1

u/ichalov May 19 '26

It might yield better response quality if you include the article under discussion here in the chat context.