I definitely do not mean bug bounties. While it is possible to make a full salary pursuing bug bounties, they are a poor investment of time.
For example, if I am paid to do an exhaustive penetration test and source code review for a company I'll be paid $10,000/week. I might not find a single vulnerability (doesn't happen often), but I still did the work.
If I pursue a bug bounty for the same company I might find nothing at all, which means I earn nothing. I also most likely won't earn $10,000 in bug bounties in a week.
Aside from this, there is a bit of classism in the security industry. Bug bounty hunters are predominantly people from developing countries who do not know how to find even the most simple CSRF flaw, which is really quite sad. They do not have access to the same education and they are mostly hopefuls who want to "break in" to the security industry.
The "crowdsourced security" model touted by HackerOne and BugCrowd doesn't really work, where "work" means you can replace a real penetration test from a real security engineer with it. It works if you have people like Frans Rosen, fin1te or bitquark (famous bug bounty participants) pursue bug bounties on your software, but it doesn't work for the other 9/10 people who will fill your inbox with pointless, invalid reports. For this reason, bug bounty participants are not very well respected unless they have a reputation for good work because of how much noise the average bug bounty generates instead of valid reports. On the other hand, you'll find most successful security engineers don't spend much time pursuing them.
I'd be surprised if OP meant bug bounties. Most rewards seem to be in the $2,000 - 10,000 range. They take time to discover so you'd have to be pretty productive (and perhaps lucky) to regularly find enough bugs to earn a salary in that range.
From what I've seen of these, bug bounties are quite low. I, like GP, would assume consulting. Either for companies acting defensively or with nation states acting offensively.
