How to think about million-dollar competitions as a security researcher:

- Teams treat these competitions as the final boss. They come with code that has been audited (often multiple times). The code that undergoes these competitions almost always has gone through audits. They are pretty effective at finding missed bugs, but in some cases, no more bugs are left.

- Rewards for the competitions can feel wildly disproportionate. When there are bugs, the winners can earn $100K–$200K+. If there are no severe bugs, the payouts will also be tiny. It’s a game of extremes: high highs, low lows.

- There's no perfect way to reward effort in a permissionless environment. Every suggestion I've seen can be gamed. As a security researcher, you're either selling your time or being rewarded by the outcome, i.e., getting paid for valid bugs you find. You cannot mix these two. If you do, you're setting yourself up for disappointment.

- The clearest sign that the industry is growing is researchers getting paid more, quarter after quarter. That’s what’s happening at Cantina. Our job is to create more opportunities for security researchers. More opportunities = more ways for you to earn. We've hosted more 7-figure competitions than anyone else, and have had more 7-figure competition payouts than anyone else. If you look at the competitions that did not unlock the full pool, they had incredibly hardened codebases, and they're successfully on mainnet with billions on the line.

- I talk to many security researchers, and I've yet to hear anyone who went all in on Web3 and regretted the move. The long-term opportunity is still here; we will 10x that in the next few years. On the contrary, I know many security researchers who have found life-changing success in this industry. Many of them have won big competitions and continue to do so.