NB: Make it a multi-sig (keep one key to yourself) to make sure you get some info about the vulnerabilities in case the penetrators just want to abscond with the loot.
of course, now they will assume it's a multi-sig key. :-)
But really, this idea is solid- but how do we get someone involved? I think at the start we might have to turn to the community and later on start to think about dedicated professionals in this field. I don't think many firms are interested in turning their attention away from banks and corporations to work on someone's bitcoin website project. :-)