One thing I don’t understand is why security folks still bother with public bounty programs, when I hear that the market for software reviews is massive and very profitable. Is there a gap in the market for something that can matchmake skilled people with companies at reasonable rates...?
Most of us don't bother with bounties anymore. There are a lot of types of software review so I'm not quite sure which one you're referring to. If you're talking about matchmaking for pentests then you're essentially describing a bounty program, the only difference is that bounty programs don't pay researchers for their time. If you're referring to blog/publications on security then this is the first time I've heard of that market.
I’m thinking of security-oriented code-reviews of various enterprise software. One of my old clients commissioned some last year over a piece of work I made, and apparently they had to go “to hell and back” to source a reputable (and very expensive) reviewer somewhere in California, while I’m sure there must be plenty of UK talent available. They then had someone else pentest it as a blackbox, which is definitely easier to source locally, although the quality can be very variable. I understand it is a very sensitive area, maybe it needs some sort of professional body to provide accreditation and self-regulate and promote reputable members, I don’t know.
I think bounties are an unbalanced system; as you say, pentesters don’t get paid for their time and often don’t get paid at all, like in this case. There must be a better way, where an independent third-party can judge actual severity of the hole and sanction payments.
This is a bit of a guess since this kind of security research is but a hobby to me, but if with reviews you cannot publicly post your results after they're fixed, the best way to build a portfolio would be public bounty programs. And without a good portfolio, you don't get hired for reviews.
