[stevekemp]

> Have some bug bounties, CVE's or exploits to your name, you'll get an interview.

That assumes you hear of positions, and apply. I do auditing for fun in my spare time, and have reported issues in software as diverse as Emacs, evilvte, GNU Readline, gforge, oping, and NCSA Mosaic 2.1 (!).

Brief list - https://steve.fi/Security/Advisories/

In all that time I've never once received an unsolicited offer/mail about "security". I do receive unsolicited contact from recruiters every other month or so, on the topic of Perl/Ruby/C++/etc.

(Interestingly I stopped getting recruiter mails from people asking about C++ when I moved a couple of personal github repositories into an organization of which I'm the main active member. I suspect that means recruiters are crawling github now.)