Published Jun 03, 2026 | 9:15 AM ⚊ Updated Jun 03, 2026 | 9:26 AM
CBSE logo.
Synopsis: The security and reliability of the CBSE’s digital evaluation system became the centre of a controversy after two young cybersecurity experts. While one flagged the security issues in the portal, the other pointed out the irregularities in the tendering process. However, CBSE has maintained that the portal referenced in many public reports was a testing environment containing sample data and not the live evaluation system used to assess answer sheets.
When Class 12 student Sarthak Sidhant appeared before the Parliamentary Standing Committee on Education, Women, Children, Youth and Sports on Tuesday, 2 June, he was not there to challenge his examination marks.
Instead, he was questioning the system that evaluated them.
Sidhant’s presentation before MPs focused on alleged irregularities in the tendering process behind the Central Board of Secondary Education’s (CBSE) On-Screen Marking (OSM) platform, the digital system used to evaluate lakhs of Class 12 answer sheets.
His appearance came amid a separate controversy already engulfing the same platform. Earlier this year, 19-year-old cybersecurity researcher Nisarga Adhikary alleged that he had discovered multiple security vulnerabilities linked to the OSM ecosystem, raising concerns about student data protection and digital infrastructure security.
While the two controversies emerged from different directions, one from tender documents and another from cybersecurity research, both ultimately centre on the same question: How secure, transparent and accountable is the system responsible for evaluating millions of students?
Also Read: Clamour for minister’s resignation but CBSE chairman, secretary transferred instead
The On-Screen Marking (OSM) system is CBSE’s digital evaluation platform.
Introduced in 2014, the system was designed to reduce manual errors, improve consistency in marking and accelerate the evaluation process. Under the model, answer sheets are scanned, uploaded and assessed digitally by examiners rather than being physically handled.
The system today processes vast amounts of sensitive educational data, including answer sheets, examination records and marks.
CBSE reported this year that nearly 13,000 answer sheets had to be evaluated manually because scanning-related issues made digital assessment difficult in certain cases.
The platform was developed by Hyderabad-based Coempt Eduteck, a company now at the centre of both cybersecurity and procurement controversies.
The cybersecurity controversy gained national attention after Adhikary published a detailed blog outlining vulnerabilities he claimed to have discovered while examining the platform earlier this year. What began as a routine technical investigation soon evolved into a broader discussion about how securely India’s educational data is being handled.
According to Adhikary, several security controls appeared to be either improperly implemented or entirely absent. One of the most discussed allegations involved what researchers described as a “master password” embedded within the website’s frontend code.
To a non-technical user, frontend code is like a classroom blackboard. Everyone can see what is written on it. If a teacher accidentally writes the password to the staff room on the blackboard, every student can read it. Researchers allege that sensitive information was placed in a part of the website that users could inspect.
Adhikary argued that because the password was present in code accessible to users, it could potentially be extracted by anyone with basic technical knowledge. He also alleged weaknesses in authorisation controls.
Normally, online systems continuously verify whether users have permission to access a particular section. According to Adhikary, some of these checks were either weak or missing. For example, sending an OTP for bank transactions on your mobile or email, but here they will send the OTP, even if you type the wrong password, it will be accepted.
In practical terms, experts compare such vulnerabilities to a building with doors but no guard checking who enters each room.
The controversy expanded further when Adhikary alleged that scanned answer sheets and question papers were publicly accessible through an unsecured cloud storage bucket linked to the system. Cloud storage functions like a digital warehouse where organisations store files.
Normally, such storage is protected through multiple layers of authentication and access controls. According to the allegations, however, files connected to the evaluation ecosystem could potentially be accessed without adequate restrictions.
The claims triggered concerns about student privacy because answer sheets contain personal information, examination records and academic data. Subsequent disclosures alleged that sensitive answer-sheet images and records could be viewed because of weaknesses in the storage configuration.
Although no public evidence has emerged suggesting that marks were altered or examination outcomes manipulated, cybersecurity experts argue that such exposures can become significant risks if left unresolved.
The issue quickly attracted the attention of technology policy experts. Technology policy commentator Nikhil Pahwa argued that the episode highlighted the importance of taking vulnerability disclosures seriously.
He questioned why weaknesses reportedly identified months earlier had not been addressed sooner and called for greater transparency from public institutions when security flaws are reported.
A few things here.
1. Someone with a little more intelligence has taken over. They’re actually acknowledging mistakes instead of deflecting them. Something the morons at UIDAI and Nandan’s so called “volunteers” need to learn.
2. There needs to be transparency, and they need to… https://t.co/QJzhFBnkvS— Nikhil Pahwa (@nixxin) May 31, 2026
In another post on X, Pahwa wrote: “I don’t do political reporting, but someone should look into the politics of why a trigger-happy Ministry of Censorship isn’t censoring the CBSE stuff. It’s an anomaly.”
Technology researcher Srinivas Kodali argued that public digital infrastructure should be subjected to stronger accountability standards. According to him, vulnerabilities identified by independent researchers should be viewed as opportunities to improve systems rather than as isolated incidents.
Responding to reports about the exposed cloud infrastructure, Kodali wrote on X: “Who should respond to a cyber security incident in Digital India? Answer: Everyone except Computer Emergency Response Team.”
It is by design that India doesn’t enforce stringent requirements part of its tenders. Indian government always prioritised how to promote domestic IT companies by becoming a consumer for them. So that they can experiment their products in India first & sell abroad later.
— Srinivas Kodali (@digitaldutta) June 1, 2026
For cybersecurity experts, the central issue is not whether marks were changed. There is currently no public evidence suggesting that happened. The concern is whether systems handling sensitive educational records were designed and maintained with adequate safeguards.
While cybersecurity researchers were examining code, Sidhant was examining paperwork. After analysing multiple CBSE tender documents related to the OSM platform, the student alleged that key requirements were modified during the procurement process.
His findings have now reached Parliament. According to Sidhant, one of the most significant changes involved the Capability Maturity Model Integration (CMMI) certification requirement.
CMMI certification is widely used to evaluate the maturity and quality of software development processes. Sidhant alleged that the required certification level was reduced from Level 5 to Level 3 in later versions of the tender documents.
He also pointed to the cancellation of an earlier tender process and claimed that provisions allowing disqualification for poor project performance had disappeared from subsequent versions of the Request for Proposal (RFP).
“The first discrepancy is that there were three clauses of ‘poor performance’ which were completely wiped out from the new RFP,” Sidhant said while explaining his analysis.
CBSE has systematically rewritten its rulebook to favor Coempt Eduteck.
check out the blog. pic.twitter.com/CmdXMo8pMh
— Sarthak Sidhant (@sidhant_sarthak) May 29, 2026
If the cybersecurity controversy focuses on whether the digital locks were strong enough, the procurement controversy asks a different question: How was the company responsible for those locks selected in the first place?
Coempt Eduteck eventually emerged as the lowest financial bidder and secured the contract ahead of larger competitors, including Tata Consultancy Services (TCS).
Sidhant has argued that changes in eligibility criteria and performance-related provisions may have benefited certain bidders.
The allegations remain unproven and have not been independently established by Parliament or any investigative agency. Nevertheless, they have become part of the broader review now underway.
Also Read: After OSM gaffe, CBSE arms school principals with toolkit to rise in defence
CBSE has maintained that the portal referenced in many public reports was a testing environment containing sample data and not the live evaluation system used to assess answer sheets.
The board stated that no breach had been detected in the operational evaluation platform and that no evidence suggested student marks had been compromised.
However, CBSE later acknowledged vulnerabilities within a service-provider portal connected to the ecosystem and said steps had been taken to address the issues.
We have been closely monitoring the vulnerabilities in the OnMark portal of our service provider that are being flagged in the public domain. An expert team of cybersecurity professionals has been deployed over the last few days from across various arms of the government as well…
— CBSE HQ (@cbseindia29) May 31, 2026
The board also stated that cybersecurity experts from government agencies and leading institutions, including IITs, had been deployed to strengthen security measures and audit the infrastructure.
CBSE reiterated that digital evaluation remains a globally accepted practice and continues to be an important component of modern examination management.
(Edited by Muhammed Fazil.)
