Not very profitable.
First you have to find the issues. Then you have to write the proof-of-concept that shows how you can do remote code execution. Then you have to convince MSFT that it is a real bug. Moreover, if it requires chained exploits you have to give up the other exploits.
Thanks MSFT. Will look at your stuff maybe later. When I can convince my engineers to actually use Windows.