Finding a problem that deserves a bug bounty reward is a very different beast to just finding quirks.

I read from one security researchers somewhere that professionals wouldn’t find enough bug bounty worthy problems in high enough frequency to pay their bills. So they’ll sometimes treat things like this more as a supplement to promote their CV rather than as a job itself.