Find the hole.
Write the report.
Get paid.

Bug bounty hunter. I look for vulnerabilities in production systems, document what I find, and write it up so developers can fix it. This is where I publish the ones I'm allowed to talk about.