I spoke to a guy who does pentesting and vuln finding for a living. He told me that if I'm interested in doing the same thing, I'd be better off doing a little reversing work and then going into open-source analysis as soon as possible. His reasoning is that, if you're doing this as a career, then you're working for companies who are asking you to audit them, and will almost always give you the source to work with.