New Delhi: The recent fracas across the country around the Central Board of Secondary Education (CBSE) examination and its new On-Screen Marking (OSM) system has set off a domino. It has raised fundamental questions about a number of India’s institutions – including the Indian Computer Emergency Response Team (CERT-In), responsible for tackling issues of cybersecurity. Young ethical hackers, Class 12 students who are directly affected by this crisis, have exposed serious vulnerabilities in the country’s digital security agency’s work.What’s happened?On May 13, CBSE announced the results of 17,04,367 students studying in board-affiliated schools across India. Very soon after, students who were surprised by their marks and had asked for re-evaluation or to look at their answer sheets began to report a range of issues: blurry scans, wrong answer scripts uploaded, payment gateway errors and more.Adding to concerns, a 19-year-old student claimed that he had hacked the CBSE OSM portal and informed the board about the site’s vulnerability. In the last few weeks, names of Class 12 students like Sarthak Sidhant and Nisarga Adhikary have become more relevant than the names of India’s Minister of Education and the Union Minister of Electronics and Information Technology (MeitY). Sidhant and Adhikary are students and ethical hackers who exposed critical vulnerabilities in the CBSE OSM evaluation portal. They claimed to have breached the system in just 30 minutes, alleging the portal contained master passwords, OTP bypasses and unencrypted cloud storage, potentially allowing users to alter marks and student data. Experts from the Indian Institutes of Technology in Kanpur and Madras found that artificial intelligence (AI) tools, particularly Claude AI, were used to gain access to the CBSE OSM system.The mismanagement and mix-ups in the CBSE digital evaluation infrastructure has raised questions that travel far beyond examination administration. While CBSE disputed allegations of lowering its standards to give the OSM contract to a Hyderabad-based educational technology company, the controversy has brought attention to a larger issue: what happens when vulnerabilities are discovered in digital systems used by public institutions?The role of CERT-InThe Indian Computer Emergency Response Team (CERT-In) was established in January 2004 under the Information Technology Act, 2000 to serve as the national nodal agency for managing, responding to and mitigating cybersecurity incidents across India. It is responsible for incident response, vulnerability reporting, coordination among stakeholders and issuing advisories relating to cyber threats. As India’s digital infrastructure has expanded across sectors ranging from finance, agriculture and healthcare to education and governance, CERT-In’s role has become increasingly central to the country’s broader cyber-security architecture.During Operation Sindoor in 2025, government agencies warned of heightened cyber threats targeting Indian institutions, while CERT-In issued advisories to critical sectors. The episode proved the agency’s role not only in responding to cyber incidents but also in identifying vulnerabilities and coordinating preventive action before systems can be compromised.The CBSE controversy, however, raises a different set of questions. According to information presented before a parliamentary panel, CERT-In flagged vulnerabilities in the online evaluation ecosystem on multiple occasions between February and May 2026 and reportedly found one portal unsuitable for deployment in a production environment. These revelations suggest that concerns regarding the platform’s security were communicated to authorities before the controversy entered the lives of lakhs of students and the public domain.During an emergency security assessment, CERT-In reportedly concluded that one of the portals was “not fit for deployment in a production environment”, raising concerns about its readiness for large-scale live operations. The OnMark platform, developed by Hyderabad-based Coempt EduTeck and hosted on Amazon Web Services (AWS) India infrastructure, was used for the OSM of Class 12 answer sheets this year.If CERT-in identified vulnerabilities and issued a warning, why did CBSE continue to trust Coempt EduTeck’s mechanisms? And what mechanisms exist to ensure that vulnerability disclosures are acted upon? How are remedial measures independently verified? And when systems handling the records of millions of citizens are involved, what degree of transparency should public institutions provide regarding cyber-security risks and corrective action?One of the hackers who got into the CBSE portal, Adhikary, said that he sent emails to multiple authorities, including CERT-In and other government-linked cybersecurity offices, but did not receive a satisfactory response. The Wire too reached out to CERT-in six days before this story was published, to seek their official response on the vulnerabilities. In a detailed set of queries sent to CERT-In, The Wire sought clarity on when the agency first became aware of the alleged vulnerabilities in the CBSE OSM platform and whether any forensic review or technical analysis had been initiated. The questions pressed the cybersecurity agency to reveal if student data, evaluator credentials or examination records had been compromised, and whether CERT-In considers platforms handling such high volumes of sensitive academic data to be part of India’s critical digital infrastructure. Additionally, the communication sought to establish what cybersecurity standards or advisories CERT-In had issued to educational boards following the incident, and whether the agency intends to publicly share its findings or lessons learned from the matter.Despite several calls and emails, CERT-In has not responded to the queries yet.Why does this happen?The incident has also accentuated a critical concern within India’s digital governance realm. Cyber-security experts have long argued that effective cyber defence depends not only on identifying vulnerabilities but also on ensuring accountability across the institutions responsible for addressing them.Sunny Nehra, an ethical hacker and founder of Secure Your Hacks, a platform offering advanced solutions to businesses navigating the ever-present dangers of the digital world, views the information revealed by students as just the tip of the iceberg.Speaking to The Wire, Nehra said, “The biggest issue is not the lack of cybersecurity policies. India has policies, guidelines, audits, CERT-In advisories and compliance frameworks. The real problem is execution. Our government technology procurement is driven by tender processes where cost often becomes the dominant factor. The company bidding the least gets the tender of developing the websites, and they often outsource the projects further to cheapest developers in the market. Projects worth crores may ultimately be developed through multiple layers of subcontracting, with actual implementation sometimes being done by teams working under severe budget constraints”.Nehra, who has the experience of more than a decade in hands-on cybersecurity, said, “I have reported several critical vulnerabilities in government as well private websites.”He says that the actual problem with exam procedures is the vulnerabilities in the softwares on which exams are conducted. “I have handled digital forensics several exams hacking cases, and one thing I have noticed is that the exam conducting softwares in the market are vulnerable. The companies making these tools have in fact no idea about the kind of attacks hackers use against such systems in real word attacks. We rather need special red teaming, and special compliances for exam softwares in this nation,” Nehra said. Red teaming refers to the practice of hiring simulators to behave like a cyberattacker might, to stress test the system and check its strength.On being asked why we continue to see basic security flaws in critical public systems, despite India heavily investing in digitisation in the last decade, Nehra explained that digitisation and cybersecurity are not the same investment. “Building a portal is relatively easy. Maintaining a portal securely for years is difficult. Many projects receive funding for development but not for continuous security testing, bug hunting, architecture reviews, patch management, threat intelligence, and monitoring. Security is often treated as a one-time activity before launch instead of an ongoing process,” he explained.Adding that the economics of testing are also a concern, Nehra maintained that in many cases, the budgets allocated for security assessments are extremely low compared to the complexity and criticality of the systems being tested. “If an organisation expects comprehensive security assurance for a fraction of what private-sector organisations spend, the outcome should not be surprising. Security quality is directly related to the time, expertise, and resources invested in it,” he said.When Digital India goes offlineAmid this fiasco, it is important to recall how the Modi government has spent the last decade building what it calls a “Digital India” ecosystem: expanding online governance, digitising public services, examinations, welfare delivery, health records, payments and identity systems. Launched in 2015, the Digital India programme became a flagship governance initiative aimed at creating a narrative that India is a digitally educated and developed nation where citizens access schemes and services online and on-the-go.The narrative includes the Aadhaar integration, DigiLocker, CoWIN, UMANG, DigiYatra, direct benefit transfers, digital land records, online examination systems and a range of service platforms. The government subsequently extended the programme and approved an expanded Digital India outlay of nearly Rs 14,903 crore for the 2021-26 period, while annual allocations to the Ministry of Electronics and Information Technology have steadily increased as digitisation became central to governance.Successive governments under the BJP have argued that digitisation improves efficiency, transparency and access to public services. The abovementioned initiatives under Digital India have frequently been showcased as examples of India’s digital transformation, but have also witnessed controversies involving data breaches, ransomware attacks, cybersecurity vulnerabilities and examination-related technology failures. From Aadhaar-linked data access concerns and the AIIMS ransomware attack – where 1.3 TB data encrypted and five servers were affected – to CoWIN-related data glitches, the ICMR data leak which exposed the personal information of roughly 81.5 crore citizens on the dark web and more recent questions surrounding examination infrastructure such as NEET, CUET and CBSE’s OSM platform, there have been questions galore about India’s data security and governance infrastructure.On the cybersecurity maturity of Indian government-run digital platforms, Syed Haseeb Rizvi, founder, SHELL InfoSec, told The Wire that India was in what one would refer to as a “transitional-stage”, where it is currently in the process of digitization. “If you look at UPI for example, NPCI has done a great job in terms of the architectural security as well as the scalability of UPI, with the existence of Security Operations Center (SOC)s, Regular Audits, Industry-Standard Incident Response protocols etc, which did not exist a decade ago. While this is all very flashy sounding, on the other hand, this controversy (CBSE) has sparked concern in ways that I think is critical for our digital infrastructure and the practices that we use,” Rizvi said.Rizvi, who has received training from Google, Cisco, IBM and Cybrary as part of his journey in cyber security, views the issue as a clear example of poorly secured test environments without proper sandboxing isolation, and gross negligence with respect to the master credentials of a system as well as the OTP authentication system which was architecturally flawed as it sent out a copy of the two-factor authentication code to the frontend of the website to avoid load on the backend.“A mature cybersecurity culture is not measured by whether vulnerabilities exist. Every large organisation has vulnerabilities. Maturity is measured by how quickly vulnerabilities are reported, acknowledged, fixed and communicated,” he said.And part of this maturity is knowing how to collaborate with others. “Ethical hackers in India have a bit of a love-hate relationship with CERT-In,” Rizvi said. “I myself have reported issues and seen them fixed, which feels great. But many others find the process slow, confusing and stressful – sometimes leaving them unsure if their report is even being looked at, or worried about legal trouble. Unlike some international organisations that make researchers feel like partners with clear rules and recognition, CERT-In can feel distant.”“At the end of the day, good cybersecurity isn’t just about firewalls and codes – it’s about trust and collaboration between the people finding the problems and the people running the systems.”Tarushi Aswani is an independent journalist.