I've discovered a service called HackerOne (see https://hackerone.com), that is used by Phabricator and other companies as a platform for reporting potential security-related issues within an application.
- users of that website have security-related knowledge (no need to search for such people to test In-Portal)
- it's free to use, but once we confirm the reported issue to be a security issue we must pay some money to reporter and HackerOne will get 20% of that money
- amount of money (reward) we pay is up to us, but for example Phabricator guys pay more the more impact the issue has on Phabricator users
Dmitry Andrejev [Intechnic], if you agree with my proposal, then let's talk about this over Skype and setup a team account in there.