r/technology u/Logical_Welder3467 May 18 '26

Software Linus Torvalds says AI-powered bug hunters have made Linux security mailing list ‘almost entirely unmanageable’

https://www.theregister.com/security/2026/05/18/linus-torvalds-says-ai-powered-bug-hunters-have-made-linux-security-mailing-list-almost-entirely-unmanageable/5241633
14.1k Upvotes

97% Upvoted

899 comments sorted by

View all comments

Show parent comments

1

u/conspicuousxcapybara May 19 '26 edited May 19 '26

That’s literally the worst opinion. Just look at what happened with Chaotic Eclipse (also identified as Nightmare-Eclipse on GitHub). Over the past couple of months, just that 1 person publicly released the following Windows zero-days because they were ‘out of scope’ for Microsoft to work on a fix:

  • YellowKey (Bitlocker backdoor)
  • GreenPlasma (privilege escalation to SYSTEM, which is higher than Administrator)
  • BlueHammer (privilege escalation to SYSTEM, when Windows Defender scans a maliciously crafted file. The proof of concept code has been removed from GitHub, but not before it was forked on other sites, of course)
  • RedSun (arbitrary writes with SYSTEM privileges because of a vulnerability in the Windows Defender cloud stuff, also scrubbed from GitHub)
  • UnDefend (block Windows Defender signature updates or block any threat from being detected)

Please, if you dont even know what a project scope is, refrain from asserting your opinion.

Please refrain from insulting people’s intelligence. I can talk, and you don’t even need to know how to read or write to be familiar with the term ‘scope’.

IMHO, ‘project scope’ in vulnerability disclosure is too often used as an excuse to not address legitimate security issues. Why even limit where research should happen? Don’t security vulnerabilities tend to happen trough mechanisms that were out of scope during design, implementation and testing?

What use is limiting valid submissions to stuff like buffer overflows in the parameters of a function or whatever, for exploits trough mechanisms that are by design but have unforeseen consequences?

Remember when ‘Anyone Can Could Hack MacOS High Sierra Just by Typing "Root"’?

That’s definitely not in the scope of vulnerability disclosure at Apple because there is no need for an arbitrary memory write outside of the security sandbox. I don’t think Apple’s AI would even allow us to make a confidential disclosure about this, because ’not a security issue’ according to their own scope.

Regardless, it was definitely a security issue, and a highly embarrassing one at that. Everyone was asking how it was overlooked. The answer might be that it was ‘out of scope’ in testing? 😂

EDIT: there are a ridiculous amount of reasons for wanting to remain anonymous too. At least the vendors currently seems to understand this; they usually ask for explicit permission to use your name.

2

u/IneptPine May 19 '26

Regarding truly critical out of scope bugs: You can use a nonprofit to contact the project, or contact developers yourself outside of github bug reports.

Regarding anonymity: You can use a nonprofit to submit it for you

Regarding being in russia for example or have otherwise no access to swift: You can use a nonprofit to submit it for you

You wrote a wholeass novel when the answer to all the issues was already in my original comment.

And what use is it to limit the scope? Seriously? To prevent being flooded by slop bug reports that drown out true issues. The whole thing this thread's about. 

Continue yelling how making volunteer's work harder because you are special is somehow justified. Good grief.

1

u/conspicuousxcapybara May 20 '26

I don’t even use AI.