AB 2720: State government: Office of Information Security: cybersecurity vulnerability reporting.

Existing law establishes the Office of Information Security in the Department of Technology, the purpose of which is to ensure the confidentiality, integrity, and availability of state systems and applications.

This bill would authorize the office to establish a Cybersecurity Vulnerability Reporting Reward Program for the purpose of soliciting eligible individuals to identify and report previously unknown vulnerabilities in state computer networks and making a monetary award for an eligible report, subject to appropriation of sufficient funds by the Legislature. The bill would require the office to develop policies, standards, and procedures for the administration of the program, including eligibility and award criteria. The bill would specify that the minimum award shall be $100, and the maximum award shall be $5,000. The bill would prohibit an individual from receiving an award unless he or she, among other things, has not attempted to access another persons data, or otherwise has not engaged in any unlawful, disruptive, or damaging activity in the course of investigating the existence of the suspected vulnerability and is not a state employee or contractor, or the spouse or immediate family member of a state employee or contractor.