Okay, I'm obviously missing some important details not being a security expert. Clear a couple things up for me.
1. Do security researchers spend their efforts actively searching for one particular bug using one particular method, or do they try a lot of different things and expect to find a lot of different bugs of varying levels of importance?
2. Do companies looking at their own code for bugs only concern themselves with bugs that would be worth selling on the black market, or is every bug a concern for them?
3. Bit of an opinion question, how much would you consider spending to find a bug to sell for $100k considering the potential failure of the endeavor?
4. Do you think bug bounties are the primary motivation for white hats to research bugs, and if not what effect do they have?
I don't think Mr. Haselton is qualified to answer these.
1: A little of both. I can only speak for myself, but I tend to look at a particular piece of hardware or software, and poke it until I find something interesting. Now interesting doesn't have to be a vulnerability, but it engages the brain. Could there be an exploit in here? And if not, could there be an exploit in other products that use a fairly similar design for something?
I may start looking at product A, and find X interesting, but end up finding a defect Y in product B.
2: Both. You sell not only a product, but a perception that you care about your customers. Besides, most companies have people in decision who wouldn't be able to make an educated decision on what type it was, and underlings whose opinion is tainted because they have a real need to cover their own ass. And the companies certainly won't take the word of a hacker as to what the impact is, so they'll usually err on the side of caution, i.e. treat it seriously.
Note that treating it seriously might mean it will take quite a long time to fix, because taking code seriously also means extensive tests that fixes don't break anything else. A company that has a very fast turnover for security fixes is one that I wouldn't trust much - it's a prime candidate for looking for more problems.
3: You start with a premise that the hunt is to get a reward. I believe that's almost always a false premise.
4: No, I think the primary motivation is curiosity. Unless that;s your primary driver, you will likely not be good at it.
A bounty might make a hacker go to the company after they've discovered the bug, instead of just sitting on it.
Which I think is what mostly happens. You know about a security flaw, but don't want to go to the company given the high risk of being sued in best shoot the messenger style. And you don't want to turn blackhat either, neither for criminals nor governments. But, I repeat myself. And if you're not a kid looking for notoriety, chances are you won't tell anyone.
I am quite convinced there are thousands of unreported vulnerabilities. Bounties might help with that.