Who Writes the Bugs? A Deeper Look at 125,000 Kernel Vulnerabilities
MBCook
67 points
20 comments
March 04, 2026
Related Discussions
Found 5 related stories in 87.7ms across 8,303 title embeddings via pgvector HNSW
- Approaching Zero Bugs? wrxd · 11 pts · May 01, 2026 · 58% similar
- For Linux kernel vulnerabilities, there is no heads-up to distributions ori_b · 444 pts · April 30, 2026 · 56% similar
- The New Linux Kernel AI Bot Uncovering Bugs Is a Local LLM on Framework Desktop guerby · 12 pts · April 26, 2026 · 56% similar
- AI bug reports went from junk to legit overnight, says Linux kernel czar amarant · 41 pts · March 27, 2026 · 54% similar
- Patch Your Kernel NOW: 732byte Python rootkit, cracks all distros since 2017 cednore · 14 pts · April 30, 2026 · 53% similar
Discussion Highlights (7 comments)
dogleash
These smell like the kind of metrics that cause someone to feel informed and then to miss the forest for the trees. The kind of data for a "data driven" decision maker who will just invent a narrative to explain the numbers, and then do what they wanted to do all along. The map is not the territory.
jeffbee
Bugs Georg, who is an outlier and should be excluded from the analysis.
petterroea
Not happy with the lack of statistical testing, some of the smaller differences in % could probably be coincidence
vintagedave
This reads like Claude wrote it (more than ChatGPT.) Interesting data but I am unsure how actionable it is. Are they suggesting, for example, that specific commit messages get scanner more closely? Why is CAN more severe than Intel? (It does worry me. I feel like bugs, of any sort, in car systems are terrifying.)
kittikitti
I'm not sure why this isn't included in the blog, but I was curious about the ratio between bugs and commits. Presented here are my calculations in order of total number of bugs: Intel : 11.86% [1] Independent : 2.27% Red Hat : 9.74% Linaro : 12.73% Google : 12.78% AMD : 9.70% The above is based on the bug count table in the article. [1] I combined the total bug count for independent and kernel.org because they are combined for the total contributions here, https://github.com/quguanni/kernel-archaeology/blob/main/scr... This suggests that corporations are introducing significantly more bugs than independent developers. However, I have not done statistical testing on this nor have I recreated the numbers. If I had to speculate, I would assume that the analysis from the author was partly vibe-coded or they purposely left this analysis out due to fear of retaliation. Extending my speculation would also include that corporations are purposely introducing bugs out of malice such that there are backdoors available for them. The author mentions that there is no "corporate takeover" but perhaps there are more interesting conclusions to be found.
charcircuit
I'd also like to see this broken down for C vs Rust.
vlovich123
> Half the kernel is still built by individuals: people using gmail.com, personal domains, or university emails. The "corporate takeover" narrative is overstated. Companies contribute heavily, but the kernel remains a genuinely collaborative project. Isn't the assumption here flawed? Someone may be employed by a corporation but still use their gmail/personal domain/university domain. This needs to be cross-correlated against some secondary source of employment data to give a more accurate picture.