Money Versus Swag Rewards

Many of the programs you'll find won't provide a cash payout, but instead company swag (shirts, water bottles, and so on). Don't skip over these programs. In addition to being less-trafficked – upping your chances of finding a bug – and giving you great practice at finding vulnerabilities on a live production site, many swag programs supported by third-party marketplaces will also count toward your profile's chances of being invited to a private program, for those that support them.

These swag-only programs are generally where you should start if you're just beginning your journey. Hacking Google, Facebook, or Amazon will guarantee you a big payout if you succeed, but they already have such large security teams and so many bug report submissions from independent researchers, it'll be hard for someone just starting out to find anything on their first try – much less something that hasn't already been reported.