Mirrors my thoughts loosely. I'd suggest the grey hats are not so "intrermediate", but sit with their feet on both sides of the fence. And thus their grass is always green.
The most critical concepts right about now however is the protection of our digital infrastructure, the data within, and the communications channels citizens use to access.
I'd personally prefer to pool from those who wouldn't self-define as "hacker" - unless they do so under the guise of a single specific definition. The reason being the massive distortion from the media surrounding the word "hacker", and it's these other definitions that such people will of persued. I certainly avoid using the term where possible if only to avoid all the "can you hack my g/f's FB? I think she's cheating on me" retards.
Instead it'd be wiser to pool from those who would instead self indentify as pursuing applicable fields. Ignore the "hackers", utilise the "security researchers", the "systems analysts", the "networking engineers" and the "penetration testers" - The sort of person that would recognise https://upload.wikimedia.org/wikipedia/commons/thumb/4/45/Glider.svg/220px-Glider.svg.png and understand it's significance. The sort of person that could tell you why it's more suitable to use "kali" for use in "X" deployment senario, as opposed to a standard *nix install with the same tools added from repositories.
A set of "mirror services" on a testing rig, populated with random, testing data would allow folks to TTD all facets of all services without impacting operations. Should allow to find and resolve issues before they actually become a problem. AFAIK there's not even any real bug reporting system in play - beyond the forum section - and no ticketing system... The entire operation reeks of much inexperience.
Various observations of previous useage habits as much as there's been no indication of a PCI DSS report and or the ISO/IEC 27002 audit despite specifically request thus along with other applicable data suggests that there is an alarming number of issues already existing. And they haven't even been looked for. These need to be found, and sanitised before someone else finds them and exploits them.
The clock is ticking.