David Wheeler Proposes Separate OSS Vulnerability Reports List

David A. Wheeler, a longtime open-source-security figure associated with the OpenSSF, posted a proposal to the public oss-security mailing list archives on June 8, 2026, suggesting a separate list named "oss-security-vulnerability-reports". Under the proposal, routine, run-of-the-mill vulnerability reports would go to the new list, while the existing oss-security list would remain for broader discussion and especially noteworthy public vulnerabilities. The proposal frames the change as preparation for a large increase in AI-generated and AI-assisted vulnerability reports.

The underlying problem is already visible across open source. Reporting in 2026 documented maintainers being overwhelmed by floods of low-quality, often duplicate, AI-generated security reports, and Linus Torvalds described the Linux kernel's security mailing list as almost entirely unmanageable for similar reasons (Tom's Hardware; Help Net Security). For volunteer-run projects, a surge of plausible-but-noisy reports can swamp the human triage capacity that secure disclosure depends on.

Industry pattern: separating high-volume, automated findings into a dedicated channel is a recognized mitigation in other ecosystems. It can let teams subscribe to a machine-readable feed for automated triage while keeping human discussion channels manageable, and it enables different ingestion workflows, rate-limiting, and prioritization. Whether it helps in practice depends on adoption by list maintainers and tooling vendors.

Watch whether oss-security maintainers and infrastructure operators take up the proposal, whether tools begin subscribing to a dedicated feed, and whether the community standardizes machine-readable report formats or rate-limiting. Broader signals include how major projects and disclosure programs adapt as AI-accelerated discovery raises report volumes.