Reports lacking fixes and repeated discoveries using identical tools are creating a backlog. Linus Torvalds, the founder of Linux, commented in his latest state of the kernel update that the surge of AI-generated reports has overwhelmed the security list due to the redundancy of findings from using the same tools, as reported by The Register. This situation is less relevant for critical exploits like “Copy Fail,” which impacted a wide range of Linux distributions and was identified with AI assistance.
Torvalds pointed out that AI-found bugs are generally not confidential; handling them privately leads to more duplicated effort as report authors cannot view one another’s submissions. While acknowledging the value of AI tools, he emphasized the importance of using them effectively to enhance productivity, advising against submitting reports without understanding or adding value beyond AI-generated insights.
GitHub’s Jarom Brown echoed this sentiment, reinforcing the need for AI-assisted reports to be verified and accompanied by evidence like a proof of concept. He highlighted that one thoroughly researched and validated finding is more valuable than numerous speculative reports in terms of both financial reward and reputation, noting that top earners in bug bounty programs are those who conduct in-depth research.