Listen to this article:

New Delhi: The recent fracas across the country around the Central Board of Secondary Education (CBSE) examination and its new On-Screen Marking (OSM) system has set off a domino. It has raised fundamental questions about a number of India’s institutions – including the Indian Computer Emergency Response Team (CERT-In), responsible for tackling issues of cybersecurity. Young ethical hackers, Class 12 students who are directly affected by this crisis, have exposed serious vulnerabilities in the country’s digital security agency’s work.

On May 13, CBSE announced the results of 17,04,367 students studying in board-affiliated schools across India. Very soon after, students who were surprised by their marks and had asked for re-evaluation or to look at their answer sheets began to report a range of issues: blurry scans, wrong answer scripts uploaded, payment gateway errors and more.

Adding to concerns, a 19-year-old student claimed that he had hacked the CBSE OSM portal and informed the board about the site’s vulnerability. In the last few weeks, names of Class 12 students like Sarthak Sidhant and Nisarga Adhikary have become more relevant than the names of India’s Minister of Education and the Union Minister of Electronics and Information Technology (MeitY). Sidhant and Adhikary are students and ethical hackers who exposed critical vulnerabilities in the CBSE OSM evaluation portal. They claimed to have breached the system in just 30 minutes, alleging the portal contained master passwords, OTP bypasses and unencrypted cloud storage, potentially allowing users to alter marks and student data. Experts from the Indian Institutes of Technology in Kanpur and Madras found that artificial intelligence (AI) tools, particularly Claude AI, were used to gain access to the CBSE OSM system.

The mismanagement and mix-ups in the CBSE digital evaluation infrastructure has raised questions that travel far beyond examination administration. While CBSE disputed allegations of lowering its standards to give the OSM contract to a Hyderabad-based educational technology company, the controversy has brought attention to a larger issue: what happens when vulnerabilities are discovered in digital systems used by public institutions?

The Indian Computer Emergency Response Team (CERT-In) was established in January 2004 under the Information Technology Act, 2000 to serve as the national nodal agency for managing, responding to and mitigating cybersecurity incidents across India. It is responsible for incident response, vulnerability reporting, coordination among stakeholders and issuing advisories relating to cyber threats. As India’s digital infrastructure has expanded across sectors ranging from finance, agriculture and healthcare to education and governance, CERT-In’s role has become increasingly central to the country’s broader cyber-security architecture.

During Operation Sindoor in 2025, government agencies warned of heightened cyber threats targeting Indian institutions, while CERT-In issued advisories to critical sectors. The episode proved the agency’s role not only in responding to cyber incidents but also in identifying vulnerabilities and coordinating preventive action before systems can be compromised.

The CBSE controversy, however, raises a different set of........

© The Wire