I researched this a few years ago and it can be lucrative if you are well skilled at finding vulnerabilities.
Does VUPEN still buys exploits? Could not find it on their site. I only seen vacancies.
I am mostly interested in in the OS/application layer so incentives for website issues not work for me. If anybody knows more companies like VUPEN and ZDI please post.
EXIN ISO/IEC 27002: ISF & ISMAS, ITIL Foundation, Comptia Security+, CCNA, CCNA Security, Wip: OSWP