[xyst]

It's not worth it. Payout by default is at least 90+ days (or 3 months) after disclosure (this is standard operating procedure to give company time to fix vulnerability). Then some companies have some bullshit internal company procedure for payout ("only at the end of the quarter"). Some companies dangle the carrot of "higher payouts" but after an internal review by some fresh out of college, security bootcamp asshole. The committee downgrades it to a less severe vulnerability (ie, fuck you).

The number of clueless individuals running these bug bounty programs is not worth it. The only reason most people do it is for the "fame" within the security community; or that occasional researcher that was just bored.

Even worse, some companies (like South Korean companies) will not even pay out if you are not a citizen of the country. Makes no sense to me.

[8organicbits]

Agreed about boredom. There are times I've discovered issues incidentally, checked if the company had a bug bounty program. If they don't, I may chuck a vague email to security@, if they do I'll write something quick and take whatever they send. I've seen $3k once from this, but usually it's not enough to justify the time it takes to do the write up. There are far too many: out of scope, we already know, or other non-payment results.