BILL ANALYSIS �Ó
AB 2720
Page 1
Date of Hearing: April 5, 2016
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Ed Chau, Chair
AB 2720
(Chau) - As Amended March 17, 2016
SUBJECT: State government: Office of Information Security:
cybersecurity vulnerability reporting
SUMMARY: Authorizes the state Office of Information Security
(OIS) to establish a Cybersecurity Vulnerability Reporting
Reward Program (Program) that would provide a monetary reward to
eligible individuals who identify and report previously unknown
vulnerabilities in state computer networks. Specifically, this
bill:
1) Authorizes OIS, subject to appropriation, to establish a
Program for the purpose of soliciting eligible individuals to
identify and report previously unknown vulnerabilities in
state computer networks and making a monetary award for an
eligible report.
2) Grants the Chief Information Security Officer (CISO) sole
discretion to determine the eligibility of a reported
vulnerability and the individual reporting the vulnerability,
whether or not to make an award, and if so, in what amount.
�
AB 2720
Page 2
3) Requires OIS to develop policies, standards, and procedures
for the administration of the Program, including eligibility
and award criteria, subject to the following requirements:
a) The priority of the Program must be to identify
vulnerabilities in state networks that could compromise
the integrity of user data, circumvent the privacy
protections in use to protect user data, or enable
unauthorized access to state networks or infrastructure;
b) The eligible state agencies and departments
included in the Program must be specified;
c) The eligible types of vulnerabilities must be
specified;
d) The minimum award for a qualifying vulnerability
shall be one hundred dollars ($100), and the maximum
award shall be five thousand dollars ($5,000);
e) The determination of the award amount within the
given range shall be solely at the discretion of the
CISO, based upon the sensitivity of the reported
vulnerability, the specificity of the report, and any
other factor that the chief may deem to be relevant.
�
AB 2720
Page 3
4) Specifies that a vulnerability report may be eligible for an
award only if both of the following requirements are met:
a) The vulnerability was not previously known or
reported to OIS; and,
b) The vulnerability report contained all necessary
information and is in the required format, as specified
by the office.
5) Specifies that an individual may receive an award for
submitting an eligible vulnerability report only if all of
the following requirements are met:
a) He or she has not attempted to access another
person's data, or has not otherwise engaged in any
unlawful, disruptive, or damaging activity in the course
of investigating the existence of the suspected
vulnerability;
b) He or she is not on any federal sanctions list, or
located in a country that is on any federal sanctions
list;
c) He or she submits a vulnerability report that
includes, but is not limited to, a description of the
vulnerability, the specific risks involved, and at least
one valid description of the circumstances under which
the vulnerability could be exploited;
�
AB 2720
Page 4
d) He or she is not a state employee or contractor,
or the spouse or immediate family member of a state
employee or contractor; and,
e) He or she does not knowingly make any false,
fictitious, or fraudulent statements or representations
to the office when submitting information under this
section, or knowingly include any false, fictitious, or
fraudulent writing, document, statement, or entry
therein.
6) Clarifies that no provision of this bill shall be construed
to authorize or immunize a violation of law or agreement in
any way, or to otherwise disrupt, damage, or compromise the
data or systems of another person.
7) Provides that any reward that remains unclaimed after a
period of 12 months shall be deposited into the General Fund.
EXISTING LAW:
1)Establishes, within the Department of Technology, the OIS to
ensure the confidentiality, integrity, and availability of
state systems and applications, and to promote and protect
privacy as part of the development and operations of state
systems and applications to ensure the trust of the residents
of this state. (Government Code (GC) Section 11549)
2)Authorizes, pursuant to the Merit Award Program (MAP), the
Department of Human Resources to make awards to current or
retired state employees for proposing procedures or ideas that
are adopted and put into effect and result in eliminating or
reducing state expenditures or improving operations, or for
making exceptional contributions to the efficiency, economy,
�
AB 2720
Page 5
or other improvement in the operations of state government.
(GC 19823)
3)Requires the Governor to designate three state agencies to
participate in a pilot program in 2015 to award up to $75,000
in cash prizes to eligible participants in innovation
contests. Each designated state agency would establish and
administer an innovation contest, and, on or before January 1,
2016, award a prize of up to $25,000 to a participant the
state agency determines to have submitted the entry that best
addresses the subject of the contest, in accordance with
standards established by the state agency, and has the highest
likelihood of being adopted and placed in effect. (GC 12045)
FISCAL EFFECT: Unknown
COMMENTS:
1)Purpose of this bill . This bill is intended to improve the
cybersecurity of state networks by creating a monetary
incentive for private individuals to report confidentially
network vulnerabilities to state cybersecurity experts so that
they can be fixed before they are exploited by hackers, a
program commonly referred to as a "bug bounty." This bill is
author-sponsored.
2)Author's statement . According to the author, "In recent
years, many tech companies have established vulnerability
reporting programs, also called 'bug bounty' programs, to
encourage and facilitate the reporting of cybersecurity flaws
by creating a means to communicate - and reward - information
about those vulnerabilities. Private sector 'bug bounty'
programs, such as those at Google, Facebook, and Netflix, even
honor security researchers who report serious flaws in
�
AB 2720
Page 6
software or websites by giving out monetary rewards and
posting names on a public 'hall of fame' website. This bill
would borrow an industry best practice from Silicon Valley and
apply it state government, establishing a first-of-its-kind
program to improve the cybersecurity of state websites,
networks and online services."
3)Bug bounty programs in the private sector . Bug bounty
programs have been in existence in the private sector
reportedly since 1996, when one was invented by a fledgling
Internet browser company as a way to harness the knowledge and
energy of outside users for the purpose of identifying "bugs,"
or vulnerabilities in the software. The term is now used to
describe any program offered by websites or software companies
to give compensation and recognition for reporting
vulnerabilities, which allows the company to resolve the
problem early before awareness of the flaw spreads and is
exploited.
Bug bounty programs are now widely used in the tech industry,
with major companies such as Google, Facebook, and Microsoft,
having their own programs. For example, Google's
Vulnerability Rewards Program has operated since 2010, and
grants awards ranging from $100 to $20,000 for qualifying
vulnerabilities. Individuals can only target their own
accounts, and awards are made based on the severity of the
threat and the sensitivity of the target.
Facebook has operated a similar program since 2011, and the
program has grown consistently since its inception. According
to an August 2014 blog post, the company had received 14,763
submissions in 2013 alone, 6% of which it categorized as high
severity, and paid out $1.5 million that year to 330
researchers across the globe (average award was $2,204).
Facebook's program also makes good use of researchers in other
�
AB 2720
Page 7
countries, with Facebook noting that US-based programmers only
came in third in total reports: "Researchers in Russia earned
the highest amount per report in 2013, receiving an average of
$3,961 for 38 bugs. India contributed the largest number of
valid bugs at 136, with an average reward of $1,353. The USA
reported 92 issues and averaged $2,272 in rewards. Brazil and
the UK were third and fourth by volume, with 53 bugs and 40
bugs, respectively, and average rewards of $3,853 and $2,950."
As noted above, there is a large and organized community of
security researchers that participate in bug bounty programs.
The website Bugcrowd, which serves as central resource for the
security researcher community, describes its purpose this way:
"Companies are in an unfair fight when it comes to
cybersecurity. Regardless of how robust security efforts are,
companies will always be outnumbered by the thousands of
malicious hackers worldwide. We bring thousands of good
hackers to the fight, helping companies even the odds and find
bugs before the bad guys do." Bugcrowd lists 473 individual
bug bounty programs, with each program offering some
combination of rewards including cash prizes, branded
merchandise or "swag," and recognition in the company's "Hall
of Fame."
4)Existing governmental award programs . Since 1950, California
has had MAP, operated by the Department of Human Resources,
designed to operate as an "incentive award system to recognize
employee's contributions to state government and its
operations. MAP incorporates three different awards, each
funded by the agency/department that benefit from the idea or
nomination: the Employee Suggestion Program (awards from $50
to $50,000), the Superior/Sustained Accomplishment Award ($50
to $250 per person), and a Special Act/Special Service Award
Nomination (lapel pin, certificate and citation). Awards
exceeding $5,000 are required to be approved by concurrent
resolution of the Legislature.
In 2014, AB 2138 (Gatto), Chapter 678, Statutes of 2014, created
a one-year "innovation awards" contest in state government for
�
AB 2720
Page 8
the purpose of awarding up to $75,000 in cash prizes to
eligible California participants who are not employees of the
State. Three state agencies were chosen to participate in the
pilot program and set their own standards for the contest.
The underlying purpose was to solicit new procedures, plans,
designs, or ideas that would "contribute to the efficiency,
economy, or other improvement in the operations of the state
agency, including, but not limited to, streamlining an
existing process or system of the state agency or the design
of a feedback system for the state agency."
Ultimately named the "$25K Find a New Way" contest, the
Governor's Office named the Department of Transportation
(CalTrans), the Department of Alcoholic Beverage Control
(ABC), and the Department of General Services (DGS) as the
participating entities. Caltrans ultimately issued three
$7,000 awards for a suggestion related to improving highway
signs and a $4,000 award for an idea to develop a smart phone
application to enable smart travel habits. ABC awarded $7,500
for the development of a smart phone application to
anonymously report the sale of alcohol to minors. DGS focused
its program on "green government," and awarded first place to
another application developed during its first ever "GreenGov
Challenge" code-a-thon that would track how state agencies
perform in buying "greener, environmentally preferable
products."
The federal government has also recently announced its own
cybersecurity bug bounty program. In March 2016, the US
Department of Defense (DoD) announced that it would be
launching a new program that would invite hackers to test DoD
websites for possible financial rewards - the first such bug
bounty program in the federal government. The program would
involve the selection of a group of hackers from a pool of
applicants and giving those selected specific targets to test.
The hackers would then report back on what they found and
assist the DoD in patching the identified weaknesses in
exchange for a monetary reward.
�
AB 2720
Page 9
5)This bill in practice . In its current form, this bill
authorizes, but does not require, the CISO to establish a bug
bounty pilot program for state networks. In order to
administer the program, the CISO would be required to develop
eligibility and reward criteria, and would have the discretion
to award prizes to eligible researchers for eligible
vulnerabilities in an amount ranging from $100 to $5,000,
depending on the sensitivity of the flaw and the completeness
of the report.
Eligible vulnerabilities would need to be previously unknown,
actionable, and fully reported. Eligible participants cannot
attempt to access another person's data or otherwise engage in
unlawful, disruptive or damaging activity. A participant is
also not allowed to be from a country on a federal sanctions
list, be a state employee or immediate family member thereof,
and cannot make any false, fictitious or fraudulent
representation.
The bill also makes clear that the program does not authorize or
immunize any violation of law or contract, or otherwise permit
the disruption, damage or compromise of data or systems of
another person. The bill does not specify the total amount
appropriated for the program, although the author's office
expects to amend the bill in the Assembly Appropriations
Committee to set the specific amount.
6)Arguments in support . According to the California Chamber of
Commerce, "[p]rivate entities at the forefront of
cybersecurity practices utilize bug bounty programs as part of
vulnerability management strategies. These programs provide
monetary incentives to individuals who identify and disclose
system vulnerabilities. The program's goal is to maximize the
number of outside security researchers that are probing
�
AB 2720
Page 10
systems in order to discover issues before they are exploited
by hackers. AB 2720 creates a state bug bounty program
modeled after the successful programs utilized by private
companies. As such, this legislation will reduce
vulnerabilities in the state's technology infrastructure by
leveraging outside resources and experts."
7)Previous legislation . AB 2138 (Gatto), Chapter 678, Statutes
of 2014, created a one-year "innovation awards" contest in
state government for the purpose of awarding up to $75,000 in
cash prizes to eligible California participants who are not
employees of the State.
REGISTERED SUPPORT / OPPOSITION:
Support
California Chamber of Commerce
Opposition
None on file.
Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200
�
AB 2720
Page 11