To add to the sibling comment, there are also many different ways of making a living doing this stuff:
* You can find killer clientside bugs where the bounty will cover a year's worth of compensation (bear in mind you'll get maybe 1.5 of these payouts a year on your own if you're good but replacement-level)
* You can find these kinds of bugs and work with brokers to sell them to grey-market buyers along with enablement/implants --- more development work, a little more market risk.
* You can find smaller, easier bugs (serverside, web bugs) that get nothing resembling these kinds of payouts but are much easier to find, and make good money on volume. This is a much more common way of making a living on bounty payments.
This seems harder and riskier than a full time wage - almost like a salesman who makes money from commission.
The salesperson earning much of their annual take-home from variable compensation is one of the most common white collar jobs there is.