Security testing is something usually on the edge for some testers: it's weird, looks like something totally different and seems out of reach.
    But in another way all testing is like this. Sometimes you need to know the business logic of the product better.  Or you need training for some areas. Or maybe you need to learn a tool. Or you need to do something you are not very familiar with.
    
    Compared to other testing, there is an advantage to it: there are public programs that give rewards. You can try to test your skills in the area and if you are successful you get something in return.

    I will list a couple of them, even if I am not totally familiar with how they operate, but you can try it an tell me.

1. Google

  You can check their details here http://www.google.com/about/company/rewardprogram.html
  Seems quite legit and it pays decent. Possible issues here is the fact that is a very known platform and before you find something chances are that you might not be the first one. On the other hand it's a big platform so the area is large enough.

2. Facebook
  
  Details http://www.facebook.com/whitehat/bounty/
  It's very known and again it's similar to Google's: hard to be the first one that finds something useful. They seem to replay fast to whatever you send them.

3. Mozilla

  Check it here http://www.mozilla.org/security/bug-bounty.html
  Again a platform that seems more trustworthy. Like Google (Chromium) most issues seem to be rewarded higher for the browser (Firefox)

4. CCBill
 
  Details http://www.ccbill.com/developers/security/vulnerability-reward-program.php
  It is currently on hold but it might be resumed. It's not a platform like the "big three" listed above so you have to check it for yourselves.

5. Secunia

 http://secunia.com/community/research/svcrp/ for more info
 They seem like a 3rd party service. You send vulnerabilities to them for validation.

6.Piwik
  
  See here http://piwik.org/security/
  It seems ok, but again, like for the other ones above you have to try it for yourselves.
  
7.Paypal

  https://cms.paypal.com/cgi-bin/marketingweb?cmd=_render-content&content_ID=security/reporting_security_issues

  This looks interesting and very legit

 8. Barracuda

   Check it here http://www.barracudalabs.com/bugbounty/
   You have to investigate this for yourselves.
   
9. Hex-Rays
   See http://www.hex-rays.com/bugbounty.shtml

10.Samsung

See here https://www.samsungbugbounty.com/

  I am pretty sure there are plenty more. If you know about other programs pls post it in the comments, especially if you took the reward. Some companies would probably be happy if you send them vulnerability issues even if they don't have a program. But in this case it's quite risky, because they could accuse you of bad intentions.
  So there are plenty of opportunities for white hats there. I am quite amazed myself in writing this post on how many companies I can find. 
  But for getting the actual reward it's a long way. Best way to validate a program is by hearing from happy ones that got rewarded