I've got to respect the transparency and spirit of this post. Major props. What I really love is seeing all the partnerships that have gone into some of his work over the years. Didn't realize how mammoth of a task some of these reports must have been that were only made possible via collaboration.
A friend of mine looked at the feasibility of getting into bug bounty as a professional career. He mentioned that if you're not specialized on a specific attack, you have no chance.
I think it's quite refreshing to see that Shubham Shah is a strong counter example.
Is he really strong counter example? If you actually count bounties he got this year so far, it's less than $50,000. I think he could easily earn more working as some kind of security engineer (with way less flexibility though).
Author of the blog post here. I want to make it clear that I had multiple full-time jobs along the way that paid over 200k AUD/year and it required a lot of effort to do both bug hunting and work full time. I only did bug bounty hunting full time for around a year while I was traveling around Europe. I just really love hacking. Bug bounties landed me my first job in the industry and have led to countless opportunities in my career so far.
Automation of niche bug classes is the name of the game for high earners. Or you're the 0.01% and find new vulnerabilities in services that will pay big bucks for them. For example account takeovers in Google, FB and the like or remote code execution in high profile software have payouts that are a minimum of five figures.