Big companies have bounty programs, like facebook and google.  You could always sell your bugs to tippingpoint too.

However, you usually bug hunt because its enjoyable not because you'll get rich from it. When you add up the amount of time it takes to find a bug, determine if its exploitable, crafting a reliable exploit......the time adds up big time.

There's also "hatforce.com", and possibly "uTest.com" as well, I'm not sure about uTest, as I haven't tried that fully yet. (I'm only interested in security jobs.) Hatforce.com is fairly new, but so far quite nice. Take a look from time to time, to see if there's any new projects 

It sounds more like you should do research instead, write an awesome paper and presentation, then go to some conferences to talk about it and don't get sued too  (Depending on where you live of course.)

If you just want money for 0days, find some very good ones and sell them to e.g., ZDI, and so forth. This requires of course, pretty good skills I'd say as they don't accept all 0days, there's a list of products. (Other sites may accept them though.)

Good luck!

No problem, it's why I'm around  I should note however, that 99,9% of the work I do is voluntary (free), so don't expect good tips on how to make a lot of money from me, unless you have mad exploit research and development skills, then I know where you should go to 

However, ZDI is worth it if you're that good:
http://www.zerodayinitiative.com/about/benefits/

At least, that's my opinion and no I don't have any affiliation with them, but it's one site I would probably sell exploits to if I had any of those they want 

A couple pieces of advice for you:

If its a network exploit, meaning you send some malformed packet across the wire to a victim, make sure you test it by putting your victim and attacker machine on different subnets/IPs. On one of my exploits, the GoldenFTP 4.70 PASS exploit, I saw inconsistent behavior when changing the IPs. Someone else ended up figuring this piece out and making the exploit a bit more reliable. I have only seen this on two exploits I've done, so it's not that common I don't think.


This is not true. Packetstorm for example will take anything, and not test it at all prior to posting. I have a few exploits on packetstorm that exploit-db did not take for one reason or another. Exploit-db will do some very basic testing, just to make sure your sploit works as advertised.

For further testing, you could design your exploit to work on different OS versions and service packs. Make sure you also reboot everything and run your exploit again etc..... just keep thinking of ways that would break your nice shiny exploit

LOL - what I meant to say is that you guys wont be doing the dirty testing that the author should be doing. I'm certainly not diminishing all the verification that the exploit-db crew does. That is awesome that someone does go through and validate - other sites have a bunch of junk up there