I've discovered a service called HackerOne (see https://hackerone.com), that is used by Phabricator and other companies as a platform for reporting potential security-related issues within an application.

Benefits

users of that website have security-related knowledge (no need to search for such people to test In-Portal)
it's free to use, but once we confirm the reported issue to be a security issue we must pay some money to reporter and HackerOne will get 20% of that money
amount of money (reward) we pay is up to us, but for example Phabricator guys pay more the more impact the issue has on Phabricator users

Dmitry Andrejev, if you agree with my proposal, then let's talk about this over Skype and setup a team account in there.

Browser not supported