Assembly BillNo. 2720

3

begin insert11549.41.end insert  

(a) The office, subject to appropriation of sufficient
4funds by the Legislature, may establish a Cybersecurity
5Vulnerability Reporting Reward Program for the purpose of
6soliciting eligible individuals to identify and report previously
7unknown vulnerabilities in state computer networks and making
8a monetary award for an eligible report.

9(b) The chief shall have sole discretion, subject to this section,
10to determine the eligibility of a reported vulnerability and of the
11individual reporting the vulnerability, and whether to make an
12award, and, if so, in what amount.

13(c) The office shall develop policies, standards, and procedures
14for the administration of the program, including eligibility and
15award criteria, subject to the following requirements:

16(1) The policies, standards, and procedures shall specify all of
17the following:

18(A) That the priority of the program is to identify vulnerabilities
19in state networks that could compromise the integrity of user data,
20circumvent the privacy protections in use to protect user data, or
21enable unauthorized access to state networks or infrastructure.

22(B) Which state agencies and departments are included in the
23program.

P3    1(C) Qualifying and nonqualifying vulnerabilities.

2(D) That the minimum award for a qualifying vulnerability shall
3be one hundred dollars ($100), and the maximum award shall be
4five thousand dollars ($5,000).

5(E) That the determination of the amount of an award made
6within the range established by subparagraph (D) shall be solely
7at the discretion of the chief, based upon the sensitivity of the
8reported vulnerability, the specificity of the report, and any other
9factor that the chief may deem to be relevant.

10(2) A vulnerability report may be eligible for an award only if
11both of the following requirements are met:

12(A) The vulnerability was not previously known or reported to
13the office.

14(B) The report contained all necessary information and is in
15the required format, as specified by the office.

16(3) An individual may receive an award for submitting an
17eligible vulnerability report only if all of the following requirements
18are met:

19(A) He or she has not attempted to access another person’s
20data, or otherwise has not engaged in any unlawful, disruptive,
21or damaging activity in the course of investigating the existence
22of the suspected vulnerability.

23(B) He or she is not on any federal sanctions list, or located in
24a country that is on any federal sanctions list.

25(C) He or she submits a vulnerability report that includes, but
26is not limited to, a description of the vulnerability, the specific
27risks involved, and at least one valid description of the
28circumstances under which the vulnerability could be exploited.

29(D) He or she is not a state employee or contractor, or the
30spouse or immediate family member of a state employee or
31 contractor.

32(E) He or she does not knowingly make any false, fictitious, or
33fraudulent statements or representations to the office when
34submitting information under this section, or knowingly include
35any false, fictitious, or fraudulent writing, document, statement,
36or entry therein.

37(d) Nothing in this section shall be construed to authorize or
38immunize the violation of law or agreement in any way, or to
39otherwise disrupt, damage, or compromise the data or systems of
40another person.

P4    1(e) Any reward that remains unclaimed after a period of 12
2months shall be deposited into the General Fund.