[8organicbits]

The highest ROI for me were bugs I found incidentally. Like I was building a client for some auth scheme and... yikes the documentation made it clear they are vulnerable. No POC needed, mostly linked to the part of the spec they forgot.

Bug finding requires theory building and guesswork. You're working blind. Reporting requires detailed technical writing and POC implementation. It's time consuming, so unless you're able to crank out findings or submit the same issue to multiple companies in parallel, the hourly rate will be low. Companies are flooded with low quality reports, so you really need to make the issue crystal clear.

Private bug bounties are better because there's usually obvious issues, but you're racing to be first to report.

Contract security work is much more predictable. Companies who "haven't thought about security before" are desperate for help. You can get more money building a system inventory, recommending updates for EOL systems, finding leaked passwords, and turning on firewalls. Basically engineering teams that know they have issues, but need someone external to make it clear to management that they need to invest in security. I've never failed to find at least one way to get system root or cloud admin rights on those contracts.