Re: bounties....

For start ups, I would definitely recommend against a public bug bounty program. There are a LOT of bad faith reporters out there who are trying to convince people that their apps are full of critical vulnerabilities, and that can be a lot to weed through. Running a public bug bounty program means you're obligated to respond to every reporter, which can be overwhelming, unless you've hired an employee or a third party triage service like HackerOne to handle that work. Additionally, if your site is still relatively new, it could be more likely to have bugs, and you can find yourself putting bandaids on bandaids. Just paying upfront for a pentest is probably a better use of those resources.

That being said, running an invite-only private program can be somewhat beneficial. You're less likely to get people trying to tell you your exposed google maps API key is a critical finding, and the legitimate reports tend to come in at a more manageable pace.

Re: realistic solutions

Personally, I think trying to find a company or an individual that does consulting for startups is a good way to go, but I don't know of many.

If you're seriously looking for solutions, lmk, I do this kind of thing for a living and I'm actually looking for opportunities at the moment. But I'd be happy to help in whatever way is best for you, so I'd be happy to at least point you in the right direction if I can't help directly. We definitely need more people thinking about this kind of thing.