CA AB2720

Authorizes the Office of Information Security to establish a Cybersecurity Vulnerability Reporting Reward Program to identify and report previously unknown vulnerabilities in state computer networks, subject to legislative appropriation.

Sets minimum award of $100 and maximum award of $5,000 for eligible vulnerability reports, with award amounts determined by the chief based on sensitivity, specificity, and other relevant factors.

Requires the office to develop policies and procedures specifying which state agencies are covered, qualifying vulnerabilities, and priorities focused on protecting user data integrity, privacy, and preventing unauthorized access.

Prohibits awards to individuals who have attempted unauthorized data access, engaged in unlawful activity during investigation, are state employees or contractors, are on federal sanctions lists, or submit false information.

Specifies that unclaimed rewards after 12 months must be deposited into the General Fund, and clarifies the program does not authorize violation of law or authorization to damage systems or data.