I discovered an XSS flaw in a website a month ago and reported it to the owners. As a thank you they sent me a hat, a rather large american sized t-shirt and a pair of “DeFeet” socks (guaranteed to stay cooler and drier than any other brand). I didn’t expect them to ship something like that overseas for a fairly simple issue, but it was nice that they did.
If you want something more bankable for finding an issue with a website then there are hundreds of sites that offer cash for vulnerabilities, called “Bug bounty programs”. I found a list of such sites and picked one at random to see if I could find anything and after half a days work I discovered a high importance issue which would have netted me $500 if it were not for the fact that the bug bounty program ended late last year . The issue I reported did however get its own CVE number (CVE-2013-4429 ) which is pretty cool.
Bug bounty programs can be a nice bit of side income if you have some spare time, but always make sure that they are currently running a program.