Start security bug bounty program on available platforms (like HackerOne) in order to motivate security researches to focus on TYPO3. In case reports get confirmed by the TYPO3 security team, reporters shall receive some appreciation - either money or TYPO3 swag (shirts, cups, ...).
The budget application should focus on the TYPO3 CMS core only - since rules for security researchers need to be clear from the beginning. Statements like “most used extensions” are vague and most probably will lead to (superfluous) discussions.
Extending to community extension would require having some (automated) basic quality assurance process in place first - which is currently not the case for current packages on extensions.typo3.org.
Anyways, let me know in case there are questions or aspects that need to be clarified.
We talked about this on Slack. Really like and support this idea! Start at least with core please. After RIPS, this is another great way to push the Security reputation of TYPO3. Also marketing wise, very useful!