It seems to me that one of the best learning opportunities, and a potential income stream, for web application penetration testers is bug bounties. If you are at all interested in InfoSec you probably already know about these programs, but let me give a high level overview. Bug bounty programs are essentially guidelines from companies that provide a structure to allow legal penetration testing of their web sites and applications. Two major sites that share and organize these opportunities are Bugcrowd and HackerOne.
I have only recently begun my bug bounty journey, having earned my Certified Ethical Hacker certification. Today I wanted to share my latest discovery, which has already proven to be a great resource. HackerOne has a section for disclosing their user's reports. They call this Hacktivity. For starters they provide an example of how to create your own reports, but more importantly they show the steps taken to discover and exploit the vulnerability. If you still in the early stages of your education many of these may be too difficult to understand at the moment, but that is what provides the greatest opportunity to learn.
I hope this helps in somebodies bug bounty journey. I'll be sure to share my first report with you.