In addition to many independent bug bounty programs run by organizations themselves, there are a few companies that specialize in creating those programs for them and recruiting hunters to be a part of their platform AKA Crowdsourced Cybersecurity Platforms. Those include:
Let me also give some input on the various programs:
Both Hackerone (HO) and Bugcrowd (BC) are a good fit for penetration testers and I would suggest to see the talks of Jason Haddix to get an idea of focus area’s. It mostly deals with web-app and network level vulnerabilities although there are some customers who look for expertise in IoT, Mobile and/or desktop applications. Make sure to read the scope and do not violate the terms… Payments are in either Bitcoin (HO) or USD/bank transfer (BC).
ZDI, SSD and Zerodium focus on vulnerabilities in common enterprise level software and IoT/SCADA/Automation. See advisories listed on ZDI for an idea of accepted vulnerabilities and target software. A large percentage are memory safety issues which will require decent fuzzing, RE and triage skills. On the webapp side injections and AA issues are not uncommon…. Zerodium needs a full working exploit, ZDI and SSD might accept PoC if clearly written.