What keeps fundraising platforms safe? Ethical hackers!

Raphael, tell us briefly: what does RaiseNow do?

Since its founding in Zurich in 2015, RaiseNow has aimed to simplify access to modern fundraising. The platform enables nonprofits, associations, and charitable organizations to collect donations efficiently, mobilize supporters, and build long-term relationships with their communities.

With a wide range of payment options — including TWINT, credit cards, PayPal, and digital wallets — RaiseNow reduces barriers for donors and simplifies the entire donation process. With over 20,000 customers, RaiseNow processes tens of thousands of donation transactions daily, placing high demands on scalability and security.

What are the biggest challenges when it comes to protecting sensitive donor data?

Security is a top priority at RaiseNow. In addition to protecting sensitive donor data, our biggest challenges lie in continuously evolving our platform without introducing new vulnerabilities — all while complying with strict regulatory frameworks such as PCI DSS and the GDPR. Three core factors shape our security strategy:

• High transaction volume & sensitive donor data: We process a high volume of transactions every day and manage sensitive information. That makes us a valuable target for cyberattacks.
• Fast development cycles: Our platform is in constant evolution — new features must be deployed securely and not introduce new risks.
• Strict compliance requirements: As a payment service provider, we are subject to standards like PCI DSS and the GDPR, which must be continuously met and integrated into our security strategy.

How did your journey into Ethical Hacking begin?

We gradually introduced ethical hacking into our processes. We started with a bug test to assess our current security posture — and it already yielded valuable insights.

We then participated in the GOhack bug bounty challenge event in December 2023, where the ethical hacker community from GObugfree spent two days testing a defined scope intensively. That gave us further hands-on experience with bug bounty testing and helped us identify even deeper security gaps.

That led to the launch of our own bug bounty program, allowing us to work continuously with security researchers and safeguard our platform over the long term. In addition, we introduced a Vulnerability Disclosure Program (VDP) to capture and address reports that fall outside the official bug bounty scope.

What are the biggest benefits of working with ethical hackers?

Working with ethical hackers has not only improved our security, but also made our internal processes more efficient — and brought valuable new perspectives.

Structured processes & clear workflows: Before, we received reports through various uncoordinated channels. Now, everything runs through a defined process with a clear scope, validated reports, and a transparent reward system.

New perspectives from ethical hackers: The security community brings entirely new perspectives. They often discover vulnerabilities that internal teams — or automated tools — would overlook. Their creativity and diversity help us uncover blind spots we didn’t even know we had.

Faster fixes for developers: Detailed reports with reproduction steps allow our developers to understand and resolve issues faster. Security issues are identified early and integrated directly into our agile development process.

Greater trust across the company: Bug bounty has boosted our security culture across departments. Sales and customer success teams can confidently communicate our transparent security strategy to clients — especially large organizations with strict compliance needs.

Testing in production (on request): We test in our live environment using GObugfree’s invite-only model — ensuring real-world testing without impacting ongoing operations. It also gives us full control over the scope and participants.

How does bug bounty help you meet compliance requirements?

Bug bounty and VDP allow us to proactively meet regulatory standards like the GDPR and PCI DSS. Thanks to close collaboration with the security community, we can implement necessary adjustments well before external audits — and strengthen client trust along the way.

Why is a strong security concept important for your customers?

Security is essential to our customers — especially large NGOs and banks. They face strict compliance requirements and expect us to offer a secure, trustworthy platform. Our transparent security approach makes it easier for them to meet their own standards and builds long-term confidence in our platform.

What’s next for your bug bounty program?

The program has proven extremely valuable. We're now looking at expanding the scope to include more features and address future security needs earlier. Our goal is Security-by-Design for all new products — starting from day one.

Conclusion: Why Ethical Hacking Is Essential to RaiseNow's Security Strategy

RaiseNow has evolved from traditional security testing to a comprehensive ethical hacking approach:

• Bug tests, GOhack, Bug Bounty, and VDP ensure continuous security
• Regulatory requirements are proactively met
• Collaboration with ethical hackers brings fresh insights & supports secure development
• Testing in production ensures real risks are effectively addressed