[byerley]

I view bug bounties as more of a conscious nod towards responsible disclosure than anything else. I sincerely doubt anyone could make a competitive living off of bug bounty programs (even accounting for the legal grey area of selling vulnerabilities) so the economic incentive argument seems really silly to me.

In contrast, if you've ever tried to responsibly disclose a vulnerability and gotten a threat from the legal department in response (still common practice in a lot of companies), a bug bounty program can be a very encouraging show of good faith.

[secalex]

We have several participants in our program who are making a pretty decent living, especially the ones for whom a US$5000 reward is comparable to their nation's per-capita GDP. We are hoping to highlight some of these people in a future talk.

I personally think that the opening created for those without the educational or economic opportunities available to developed world researchers is the best side effects of bug bounties.

[f-]

I think there are quite a few people who do make a living by participating in vulnerability reward programs (well, not at $50 level, obviously).

Now, I have not seen too many people who would be doing it consistently for many years - simply because it gets tiresome. But it's the same thing for security consulting - at most consultancies, pentesters come and go.