The Linux kernel just tightened its rules on what counts as a real security problem. And the reason comes straight from the flood of submissions hitting its private security list. Many arrive laced with the telltale signs of large language models. Long. Repetitive. Heavy on speculation. Light on tested reproducers.
Developers noticed the pattern months ago. A significant fraction of reports to the security team now trace back to AI-assisted code reviews. The surge prompted longtime kernel contributor Willy Tarreau to draft fresh guidance. Linus Torvalds merged it this week into the upcoming Linux 7.1 release. The new text appears in the kernel documentation tree via this commit.
Phoronix first detailed the changes on May 15. The article quotes the documentation at length and notes the timing coincides with a wave of high-profile kernel vulnerabilities. Phoronix reported that the majority of bugs sent to the security list turn out to be ordinary defects. They belong on public mailing lists instead.
The document spells out the kernel’s threat model in plain terms. Security issues worthy of private handling must grant an attacker a capability they should not possess on a correctly configured production system. The flaw must prove easy to exploit. It must pose an imminent threat to many users. Before hitting the security address, reporters should ask whether the bug actually crosses a trust boundary.
That last point matters. Containers run on shared kernels. Cloud instances host multiple tenants. A bug that seems serious in a lab may not qualify when measured against real deployment scenarios. The guidance urges reporters unsure of the classification to err private. The security team would rather triage borderline cases than overlook genuine vulnerabilities.
But the real focus lands on AI. “If you resorted to AI assistance to identify a bug, you must treat it as public.” The sentence lands hard. Short. Direct. No wiggle room. Experience shows these discoveries surface simultaneously across multiple researchers. Often on the same day.
Slashdot covered the story one day later, echoing the core message. Its summary highlights the requirement to treat AI-found bugs as public while cautioning against openly sharing reproducers that could cause harm. Mention the reproducer exists. Wait for maintainers to ask privately.
The documentation lists five practical rules for anyone using AI tools. Keep reports concise. Put the summary and critical details first. AI output tends toward excessive length and multiple sections. Triage engineers cannot afford to hunt for affected files or impact statements buried on page three.
Convert everything to plain text. Markdown decorations break when forwarded or quoted. They complicate searches. They add nothing of value. The kernel lists have run plain text for decades. The new text insists reports respect that tradition.
Stick to verifiable facts on impact. Avoid theoretical consequences. Many AI reports invent long chains of speculative damage. The kernel already publishes its threat model in Documentation/process/threat-model.rst. The guidance tells reporters to make their tools read that document before evaluating severity. An example given: state that the bug permits any user to gain CAP_NET_ADMIN. Stop there. Do not catalog every possible downstream effect.
Test reproducers. Thoroughly. AI tools can generate them. Yet many fail under real conditions. If the tool cannot produce a working reproducer, question the report’s validity. Since the report will land on a public list once triaged, hold the reproducer until maintainers request it.
Propose a fix and test it. The document notes that many AI systems write code better than they assess impact. A proposed patch must follow the established submitting-patches.rst rules. It must carry a Fixes: tag pointing to the offending commit. If the fix cannot be tested because it depends on rare hardware or obsolete protocols, the issue likely fails the security bar.
These rules carry consequences. Failure to follow them risks the report being ignored. Maintainers already drown in volume. Poorly prepared submissions only accelerate that fatigue.
The timing feels pointed. In recent weeks the community has absorbed a string of serious local privilege-escalation flaws. Copy Fail, tracked as CVE-2026-31431, surfaced through an AI-assisted scan of the crypto subsystem. Theori disclosed it publicly in late April after responsible reporting. A 732-byte Python script delivered reliable root on distributions dating back to 2017. Palo Alto Networks’ Unit 42 team analyzed the bug’s origins in a 2017 in-place optimization for AEAD encryption. Their write-up explains how the flaw allowed attackers to splice data directly into page cache.
Similar AI-discovered issues followed. Fragnesia, Dirty Frag, and at least one ptrace-related flaw each granted root through different kernel paths. ZDNet tracked the pattern in early May. The outlet reported that AI now exposes holes faster than developers can patch them. Each new case reinforced the sense that automated tools scan code at speeds humans cannot match.
Yet speed brings noise. The kernel security team saw the volume spike. Many submissions repeated the same flaws or misclassified normal bugs. Some reports arrived formatted like marketing decks. Others speculated about apocalyptic outcomes without evidence. The new documentation draws a firm boundary between valuable research and automated slop.
Willy Tarreau’s text does not dismiss AI. It acknowledges the tools can reach rarely explored code areas. The guidance simply demands rigor. Verify. Test. Summarize. Respect the project’s established processes. Use common sense. If a file has sat untouched for a year under a single maintainer and targets obsolete hardware, the report probably does not deserve security-list attention.
That pragmatic tone runs through the entire document. It reflects years of experience triaging reports. It also reveals the pressure modern tooling places on volunteer maintainers. The Linux kernel powers everything from smartphones to supercomputers. Its security team cannot scale infinitely.
Industry watchers reacted quickly on X. Discussions mixed appreciation for clearer rules with concern over the flood of AI-generated noise. Some developers predicted the guidance would push more serious researchers toward private coordination before public disclosure. Others worried it might discourage newcomers who rely on AI to understand kernel internals.
The documentation does not stand alone. It cross-references the existing threat model and reporting guides. Readers must absorb those texts too. The kernel project has long favored public development. This update reinforces that preference while carving out narrow exceptions for urgent, exploitable issues.
Expect the effects to appear soon. Linux 7.1-rc4 already carries the text. Distributors will ship it with the next stable releases. Security researchers will adjust their workflows. AI tool builders may incorporate the kernel’s recommendations directly into prompts. The goal remains unchanged. Find real bugs. Fix them properly. Keep the process sustainable.
The kernel community has faced tooling shifts before. Static analyzers, fuzzers, and formal verification each required adaptation. AI represents the latest wave. This time the project responded with explicit instructions rather than silent endurance. The message is clear. Help is welcome. Standards still apply.


WebProNews is an iEntry Publication