The Shared-Target Tax Arrives

The Linux Kernel Mailing List has handled the worst people on the internet for thirty years. It survived the embrace-and-extend era, the GPL3 schism, and a pandemic's worth of pull requests written at 3 AM. This weekend Linus Torvalds said the security list has become "almost entirely unmanageable," and the cause isn't human.

It's the bug hunters. More specifically, it's AI-powered bug hunters — multiple researchers running the same tools against the same code, filing the same near-identical reports. Torvalds called it "unnecessary pain and pointless work." The Register caught the quote.

This is the third data point on a line, not the first. Daniel Stenberg, the curl maintainer, spent most of 2024 documenting LLM-generated security reports that hallucinated CVEs against code paths that didn't exist. The Python Software Foundation flagged volume problems in its security inbox. Open-source maintainers started using "AI slop" as a category label, not a joke. The trajectory has been visible for eighteen months. What changed isn't the tools' existence. It's their price.

Here's the dynamic that matters. An AI bug-hunting tool sold to an individual researcher is sold on individual productivity: "find more bugs faster." That metric is accurate. It's also irrelevant the moment a second researcher buys the same tool. Both researchers now find the same bugs, file the same reports, and consume the same maintainer attention. The tool's value per use approaches zero as use approaches universal. Call it the shared-target tax: when an AI's value comes from scanning shared infrastructure, individual productivity gains net out as collective degradation.

(If you're a vendor selling these tools, your pitch deck has a graph showing bug-discovery throughput per researcher. That graph is true. It's also the wrong unit of analysis, and your customers won't realize it until their target tells them so.)

This is the same shape as the story Microsoft executives are leaking to The Information about GitHub Copilot. GitHub had 100 million developers, Microsoft's sales machine, and a multi-year head start. It got passed by Cursor and a handful of agentic-coding rivals anyway. The Information frames this as competitive collapse — incumbents losing benchmark races. That framing flatters the narrative the executives wanted leaked (we just need a better product) and misses the structure: the moat was made of commodity capability, and commodities don't moat. Installed-base advantages evaporate faster than procurement cycles when the underlying tool stops being scarce.

The Linux list is a coordination failure on shared public infrastructure. GitHub Copilot is a market failure on shared private capability. Different surfaces, same physics. AI tooling that wins on individual metrics loses its meaning the moment everyone has it.

Enterprise security teams are next. Within eighteen months, every Fortune 500 SOC will be running at least one commodity AI scanner against its vendor stack. The vendors — Salesforce, Workday, ServiceNow, whichever — will start receiving the same AI-generated vulnerability reports from forty different customers in the same week. Vendor security inboxes will turn into Torvalds' list. The throttling will follow. By mid-2027 I'd bet at least one major SaaS provider publishes a policy explicitly deprioritizing AI-originated submissions, and the security industry treats it as overdue rather than scandalous. If that doesn't happen, the prediction is wrong and I'll say so here.

I don't know what the stable equilibrium looks like. Maybe scanner vendors add cross-customer deduplication. Maybe the bug-bounty platforms become brokers that filter AI noise before it reaches the vendor. Maybe maintainers just keep screaming until something breaks loudly enough to force governance. None of those options favor the buyer who was told the tool would pay for itself in researcher hours saved.

The shared-target tax is invisible on the procurement spreadsheet. It shows up in the inbox of whoever owns the target.