info sec and money
my primary question: How to get money in Info sec, without hire in company and not work on black side?
You can probably see this talked about everywhere, bug bounty programs are programs hosted by different companies that encourage people to find security vulnerabilities and bugs in their software. is a good example of a website that hosts different companies bug bounty programs. 
Hope this answers your question, apologies if it doesn't.
Ditto, like Ueax said. If you want to make money in infosec independently without any employers the most lucrative business would either be: 1) Bug Bounty or 2) Developing exploits and selling them.

But both of these options are very competive and hard to make a living off at the start. You would need some skills and experience for it, but that isnt to say you shouldn't try. Try to find websites/services with bug bounty programmes, and try to find your way into private bug bounty programmes to narrow down that competition.

As for selling exploits: Learn exploit development. Sell them, it's that simple. Sounds weird but there's a legitimate market for it, see as an example. Although might be a tad bit unethical as they sell them to china, russia and other actors. But there's other vendors out there willing to buy them for more ethical actors.

Can't say much about it, not into this myself. But speaking from what I have heard from a friend who makes a living off it.
Consulting is another option. If you're already working in bug bounty programs, getting new customers will be a bit easier. If you blog about it, easier still. That's not to say it's _easy_, but having social proof makes it easier for decision makers to get your company on the approved vendor list.

There is a lot of money in this space. Getting in can be tough. Being an employee on a red team can help get you familiar with the industry and make contacts. Red team pay isn't quite what dev teams with equal experience will make, in my experience. Mostly because security is a sunk cost to corps - it doesn't have a direct relationship to an increase in sales. Dev teams build features, which means higher customer retention, easier customer acquisition. Security requirements are box-checking activities. Everybody knows that PCI compliance is security theater, but that box needs to be checked.
I speak from my personal experience, i'm the guy who does not hunt for bugs day and night but who would like to sometimes monetize few interesting vulnerabilities.

I have never used platforms offering money for bugs like HackerOne or others because it's too regulated and it may happen that they don't pay enough for the type of vulnerability you submit. All submits are auto-filled with a specific amount for each vulnerabilities, and that's the same thing for all the pentesters on the plateform. 

I think you can easily differentiate yourself from all these hackers by contacting the company by yourself, this will create a more human interaction with all the people behind the website. They will be more professional, will appreciate all the efforts you make for them and they will pay you more than any bug bounty program. But you're alone in the process.

Bug bounty programs accompany you in the process and they are very useful to follow the progress of a submission, have legal invoices, and to be recognized on Hall of Fame pages like Adobe, Microsoft ect ... If you want to make it your main activity, so it's the way to go.
(01-19-2021, 04:54 PM)funboy Wrote: my primary question: How to get money in Info sec, without hire in company and not work on black side?

Senior Security Engineer - Remote

10,000 vacant jobs in switzerland, we don't find people. You can start working in switzerland immediately - tomorrow. Your origin, age, skin color, belief doesn't matter.

+ safe and high salary.
+ conflict-free, quiet and very rich, beautiful country.
+ quick citizenship.
+ as a person, you will be judged on your performance - nothing else.
+ extremely high privacy, drama-free humans, happy life.
+ freelancer welcome, work possible on payment.
+ you are protected by swiss laws, no EU membership, no higher authority.

Possibly Related Threads…
Thread Author Replies Views Last Post
  Is it possible for a hacker to hack into a power grid and cause a blackout ? setekh 3 6,089 01-01-2022, 09:45 AM
Last Post: _BNM57_
  [Podcast] Spidersec talks but Red-Teaming and Exploit Dev LaZr4us 2 22,837 09-02-2020, 09:37 AM
Last Post: LaZr4us
  [Podcast] Jim Gilsinn talks about SCADA and ICS Devices LaZr4us 0 15,030 07-18-2020, 10:14 PM
Last Post: LaZr4us
  LAMP, LDAP, and PostFix, Ubuntu VM security and monitoring measures? QMark 4 21,483 04-26-2019, 12:25 AM
Last Post: Insider