New Delhi: Nisarga Adhikary, 19, who made headlines after uncovering critical security vulnerabilities in a CBSE examination portal, has been hired as an Open-Source Intelligence (OSINT) and threat intelligence engineer at C3iHub, IIT Kanpur’s technology innovation hub focused on cybersecurity.The appointment came after IIT Kanpur director Manindra Agrawal read Adhikary’s post, published on May 22 on his website, detailing the flaws in the CBSE portal. Agrawal reached out to him shortly after that.“Nisarga Adhikary has been appointed as an engineer in our cybersecurity team. A few years ago, we had similarly recruited a couple of young engineers for the same team. I am not sure whether he is the youngest recruit at IIT Kanpur, but he is certainly among the youngest engineers to have been hired by the institute,” Agrawal was quoted as saying by Hindustan Times.Adhikary, who just cleared his class 12 board exams this year, will analyse actionable information from publicly available sources and identify vulnerabilities in websites and applications, helping organisations address and patch potential security flaws, officials told HT. The role is contractual.“I am excited about this opportunity because it is the first time I will be working in a security-focused role. In my earlier jobs, I primarily worked as a software engineer, while cybersecurity was more of a hobby,” Adhikary told HT.Also read: Facing Mounting Questions, CBSE Drops Coempt’s On-Screen Marking Platform: ReportsHe began coding when he was around six or seven years old, and by class 6 was already competing in Capture the Flag contests — gamified hacking challenges where participants probe intentionally vulnerable systems to find hidden targets.IIT Kanpur officials have not mentioned the salary that they have offered Adhikary who said he was “expecting a bit more”.“The salary is decent, but I was expecting a bit more. I’m used to working on projects and with companies based in the US, and I do miss the financial advantage that comes with earning in dollars because of the USD-INR conversion,” he said.“I want to work on building startups and products which people use. I am not much interested in academia,” he added.The CBSE has now moved the re-evaluation process for class 12 answer scripts away from the platform operated by Hyderabad-based Coempt Eduteck Pvt Ltd and onto infrastructure controlled by the board, amid concerns over the security of the vendor’s on-screen marking (OSM) system.Adhikary had flagged five critical vulnerabilities in the CBSE’s OSM portal to cybersecurity watchdog CERT-In as far back as February 25, which included a master password stored in plain text that let users sidestep two-factor authentication entirely. Only one flaw was fixed before the portal was eventually pulled offline.“When this master password was entered into the login form, the app automatically filled the OTP field and bypassed the normal authentication flow entirely. There was no second factor to clear and no server-side check to satisfy. Entering the magic string was enough,” Adhikary wrote on his blog.Among other things, he had also pointed out that “the OTP step turned out to be pure theatre”.“When you trigger authentication, the server sends the OTP back inside the auth response, and the JavaScript running in your browser compares what you typed against that value locally before letting you through,” Adhikary wrote.