[i336_]

Seconded, I'd like to play around with this too but am not really sure where to start.

I get the impression the big bucks are in black-box proprietary/commercial systems? My only experience is with finding a small credential-leakage design flaw in an open source web app while poking through its source code one day.

I currently view most bug bounty hunting a bit like this - https://www.corsix.org/content/malicious-luajit-bytecode - so any suggestions about where to get started would be interesting. I'm not talking about "this is what XSS is", I'm talking megalists of recent compromises with annotated source code, that sort of thing. That would be both engaging, mentally challenging, and highly educational.

(As an aside, there was that one time I accidentally crashed Uppsala University's PDP-11/70 a few months ago (the logout program may have stepped on some kernel data structures :D), but that was kind of a fluke.)