Start by having a system for reports
I'm not entirely sold on this, but there's something else that will be required if you are and will be very useful if you aren't. You need a way to have people report problems to someone knowledgeable who won't attack the finder of the problem. I have two examples to demonstrate why this is necessary.
The first is from an internal hacker who discovered a vulnerability. You've probably heard the story. When Richard Feynman was working at Los Alamos, he discovered that the locks on safes containing nuclear designs weren't very good. He could open them with a paper clip. When they got higher security locks, he found that they too could be attacked too easily for comfort, and he reported it. As the story goes, the administrators decided that the new policy was not to let Feynman near safes he wasn't supposed to get into. In other words, they completely failed to recognize the severity of the vulnerability he was pointing out and were attacking the one person they could be sure wasn't going to misuse the vulnerability.
The second example is from an external hacker (me, by accident, on a system from the same company but not related to my work). I found a vulnerability in a system that allowed public access to somewhat important internal data. I knew enough to know that what I'd just seen was not supposed to be visible and that there was more where that came from. I sent an email describing the problem to the managing team. If I'd been really external, I couldn't have done that very easily either, because contacting a specific team when you're not internal is difficult (and I'd have been afraid of retaliation, so I'm not sure if I'd have done it anyway). Nobody responded. Sending more emails didn't help. The only way I got anyone to look into the problem was by knowing a friend who could introduce me to someone who worked with the team, who in turn could introduce me to someone on the team itself. Reporting a problem took a lot of effort, and had the bug been much smaller, I wouldn't have bothered reporting it.
If you ask people to find vulnerabilities or even if you don't, there needs to be a way to get reports and handle them without making the person reporting it the bad guy. If the ideas in the article sound like a good idea, don't start with them until this first step is completed, or the process will backfire when someone's found a problem and can't find anyone to fix it.