Yes, in general it's a great idea, but here are some important considerations:
Keep your site running
Ideally you don't want to do it on your production infrastructure. Have him use a non-production instance of your site (either hosted online, or locally on his computer).
If he's testing on your production site (live) your site may go down.
Keep your data safe
Testing database injections (or other attacks) can potentially harm your data. Again, you don't want to be running the tests on production infrastructure. The best scenario is to work locally.
Black-box or white-box
He'll have a better chance of finding issues if he has access to the code (white-box). If possible, give him access so that he can find issues.
Yes, have people hack your site. But don't let it get in the way of your users and don't let it cause permanent damage.