To tack onto the conversation here regarding security researcher earnings.
Here's a breakdown of the amount we've paid out per experience level:
My estimate and breakdown for the number of people who can consistently make more than 10k per month in web3 security as an independent security researcher.
spearbit has all the good independent researchers roughly ~100 onboarded. Lets say SRs and LSRs make more than 10k per month. (though technically AR and JSR can also make 10k per month if they are assigned to audits, but there are usually not enough to go around). So Spearbit has around ~50 people.
c4, sherlock + other audit contests. Looking at the leaderboard there are not many people that can consistently make more than 10k per month. Lets generously estimate ~50 people.
Private audits - most people who do well here market themselves on twitter to drive business. You have likely heard about all the successful people in this group. They also overlap with spearbit and audit contest people. Lets add ~25 people to the total.
Finally there are bug bounties, a bit harder to estimate. Looking at the immunefi leaderboard you might think it is higher than it actually is, but you need to consider that the huge 10m, 8m bugs etc were paid quite a long time ago. Last month there were 45 crits and highs submitted on immunefi. The people in this group also overlap with the other groups, in addition to people submitting bugs as anon; will add another ~25 people to the total.
So in total we have ~150 people making more than 10k per month as an independent security researcher in web3.
Agree?