[ Coming back to this after a week of trying to clean up the disaster that is my inbox after the merge window ]
On Sun, 3 May 2026 at 04:35, Willy Tarreau <[email protected]> wrote: > > The use of automated tools to find bugs in random locations of the kernel > induces a raise of security reports even if most of them should just be > reported as regular bugs. This patch is an attempt at drawing a line > between what qualifies as a security bug and what does not, hoping to > improve the situation and ease decision on the reporter's side. I actually think we may want to go further than this. I think we should simply make it a rule that "a 'security' bug that is found by AI is public". Now, I may be influenced by that "my inbox is a disaster during the merge window" thing, but I do think this is pretty fundamental: if somebody finds a bug with more or less standard AI tools (ie we're not talking magical special hardware and nation-state level efforts), then that bug pretty much by definition IS NOT SECRET. So why should be consider it special and have it be on the security list? Yes, yes, I know - some people think that "security bugs are special". And I've been on the record before calling that opinion special - in the short bus sense. Bugs are bugs. And not having them in public only makes them harder to deal with. Do we want to make bugs with potential security impact harder to deal with? No. No, we really don't. So I claim that the only reason for a security list is the non-public nature of the bug and the whole "responsible disclosure" argument. But that argument is complete and utter garbage in the face of some mostly automated AI discovery (now, that argument is mostly a fiction in the first place, but I am not going to argue with people who have vested interest in making their special patches "security bugs"). To recap - I think this "document the scope of security bugs" is good, but I think we should go even further, and just document the fact that anything found by regular AI tools should just always go to public lists and is simply not special. Linus
