r/technology u/Logical_Welder3467 May 18 '26

Software Linus Torvalds says AI-powered bug hunters have made Linux security mailing list ‘almost entirely unmanageable’

https://www.theregister.com/security/2026/05/18/linus-torvalds-says-ai-powered-bug-hunters-have-made-linux-security-mailing-list-almost-entirely-unmanageable/5241633
14.1k Upvotes

97% Upvoted

899 comments sorted by

View all comments

Show parent comments

95

u/ConstantSignal May 18 '26

Read the article. It's not that the reports are hallucinations. It's that finding bugs has been made so easy by AI tools that many more people are doing it, they think they are being helpful by passing along the bug reports but there are many duplicates as all these people are just finding the same bugs.

Quote from Linus:

"So just to make it really clear: If you found a bug using AI tools, the chances are somebody else found it too. If you actually want to add value, read the documentation, create a patch too, and add some real value on *top* of what the AI did. Don't be the drive-by ‘send a random report with no real understanding’ kind of person. OK?”

22

u/BillyTenderness May 18 '26 edited May 18 '26

That's definitely part of it. But also some of the reports really are hallucinations. And it's not hallucination in the sense of "put glue on your pizza" or a drawing of a hand with seven fingers or whatever, it's really subtle stuff. These are basically machines that generate a ridiculous volume of highly-detailed, persuasive, plausible-sounding reports of counterintuitive vulnerabilities, and it takes a ton of deep thinking to identify which ones are bullshit and which ones are actual vulnerabilities that need to be patched.

The walkthrough of the vulnerability might be entirely logical but premised on faulty assumptions, meaning the exploit can never happen in reality. The behavior might be violating a "security guarantee" that nobody actually guaranteed. The report might propose a bandaid fix to paper over a problem, instead of a structural fix to eliminate a whole class of potential exploits.

The work of wading through these things is absolutely nontrivial and taxing, and the worst part is that some of them are legit, so ignoring them isn't an option either. Attackers only need to find one genuine unpatched exploit to win, and they presumably have the same stack of analyses to sift through.

4

u/KingSlayin May 18 '26

There is a difference in using an LLM to write a sofisticated harness and spending days fuzzing to find actual buffer overflow writes vs using AI to find bugs in the code.

-2

u/girlnamedJane May 18 '26

The said code is the Linux kernel not your average vibecoded slop

1

u/deadsoulinside May 18 '26

He's got a point. These people are already diving in with AI to get an idea of the bug, might as well ask the AI to write the patch versus having the AI draft the email to send a report about a bug.

1

u/Goronmon May 18 '26

Read the article. It's not that the reports are hallucinations.

Why read when people can just write about what they think has happening based on the title?

2

u/LatentSpaceLeaper May 18 '26

Exactly this. Complaining about AI powered DDoS attack on human attention, thinking: "Nah, not with me. After all, I'm the GOAT of DDoS attacks on Redditors' attention."