Skill definitely plays a role too. If you are smart and experienced enough, you can theoretically churn out a valuable exploit once every 1-2 months on average. At a company, you're generally going to get a flat salary.
Many vuln research/development companies do offer bonuses for every effective exploit you write though, in which case it probably is better to work for such a company than to rely solely on bug bounties and competitions for income. Unfortunately, those same companies usually sell the exploits to the NSA and the intelligence agencies of other governments.
Many vuln research/development companies do offer bonuses for every effective exploit you write though, in which case it probably is better to work for such a company than to rely solely on bug bounties and competitions for income. Unfortunately, those same companies usually sell the exploits to the NSA and the intelligence agencies of other governments.