Regarding onsite/remote, I think it depends on what you choose to specialise in. Most of the web application assessments I conduct are remote but there is still demand for onsite work.
There are so many sources of information and learning grounds available now - bug bounties, certifications, war games, online tutorials, blogs, conferences etc.
I would suggest choosing a particular area of interest to begin with and deep-diving on that subject. Look for mentors or perhaps someone to knowledge share / skill exchange with.
You could do pretty well with a base in C#. Through pentest engagements, I've come across quite a few C# apps in my time and even with my limited knowledge of the language, found some interesting vulnerabilities ;)
If you introduce a bug bounty too early, you will be paying out for vulnerabilities that could be caught or prevented in a much more cost effective manner (vulnerability assessments, penetration tests, developer training, appropriate monitoring).
Sqreen also have a handy basic security checklist: http://cto-security-checklist.sqreen.io Specific to bug bounties they say "You need security aware people inside your development teams to evaluate any reports you receive."
Really enjoyable easy read.