I first tried to apply a typical OWASP Top 10 methodology during the Deutsche Telekom programme. Not very efficient... So I decided to participate in other programmes with a focus on two narrow fields, XML and SSRF. As expected, few people had a look at this area. As a result, I totally pwned Prezi and Yahoo.
For both of them, I was quickly able to read non-privileged files like /etc/passwd. I later accessed the private key of Prezi's cloud deployment system (using a EC2/OpenStack trick) and got root privileges on every outbound Yahoo proxy (with a vulnerability previously closed as WONTFIX).
Big compromises implying big rewards, I earned the top rewards from both programs. Around 25k$ in a few days, for pwning production networks, that's a hobby that most sane people should enjoy!