> I used to report these things, but half of the time, they usually don't get it fixed
You've definitely got to prioritize here. Minor things, send once and move on for the most part. Some things really don't warrant a response; if you tell me I'm exposing TLS 1.0 and the world is going to end, I'm going to ignore you because I have reasons to run TLS 1.0 and too many poor quality reports; same thing if I expose the version of Apache I'm running --- I don't care if some checklist says I shouldn't do it.
If you tell me such and such link is XSS (and it actually is), I'll try to fix it ASAP and hopefully let you know, but sometimes communication falls through the cracks; anyway, you'll be able to see it's fixed. For real issues, it's probably worth trying to follow up after a couple weeks. If they have a public security program, use that, otherwise customer service and whois contacts, maybe send a paper mail to the CEO. Look at how project zero reports on communication with the vulnerabilities they report, and try to emulate that. Obviously, they've got a lot of industry contacts and their team is well known, so they'll have an easier time getting in touch with people than you.
> Is there a way to ethically make a decent living from this? IE: consulting, employed, self-employed, etc?
Depends on where you live. If you live in a low cost country, you might be able to make enough from bug bounties. Otherwise, you're going to need to figure out how to get hired, either as a general researcher doing reports on the world at large (like you're currently doing), or as a consultant for specific clients identified in advance. While you might get lucky and turn some reports into a business relationship, it's tricky to do that without looking like you're begging for bounties https://www.troyhunt.com/beg-bounties/
Apply to existing security consulting companies and see how that goes.
You've definitely got to prioritize here. Minor things, send once and move on for the most part. Some things really don't warrant a response; if you tell me I'm exposing TLS 1.0 and the world is going to end, I'm going to ignore you because I have reasons to run TLS 1.0 and too many poor quality reports; same thing if I expose the version of Apache I'm running --- I don't care if some checklist says I shouldn't do it.
If you tell me such and such link is XSS (and it actually is), I'll try to fix it ASAP and hopefully let you know, but sometimes communication falls through the cracks; anyway, you'll be able to see it's fixed. For real issues, it's probably worth trying to follow up after a couple weeks. If they have a public security program, use that, otherwise customer service and whois contacts, maybe send a paper mail to the CEO. Look at how project zero reports on communication with the vulnerabilities they report, and try to emulate that. Obviously, they've got a lot of industry contacts and their team is well known, so they'll have an easier time getting in touch with people than you.
> Is there a way to ethically make a decent living from this? IE: consulting, employed, self-employed, etc?
Depends on where you live. If you live in a low cost country, you might be able to make enough from bug bounties. Otherwise, you're going to need to figure out how to get hired, either as a general researcher doing reports on the world at large (like you're currently doing), or as a consultant for specific clients identified in advance. While you might get lucky and turn some reports into a business relationship, it's tricky to do that without looking like you're begging for bounties https://www.troyhunt.com/beg-bounties/
Apply to existing security consulting companies and see how that goes.