The controversy around the Central Board of Secondary Education’s (CBSE) On-Screen Marking (OSM) portal is no longer just about a software glitch. It has opened up a much larger debate about accountability, digital governance, and the risks of relying on technology that may not have been thoroughly tested before being introduced into a system that affects millions of students.As an IIT-led audit panel prepares to submit its report to the Ministry of Education, the findings emerging from the investigation raise serious concerns. The key issue is not that the portal was launched without any audit. Rather, according to a member of the IIT panel who spoke to ANI on condition of anonymity, the system was audited, but the checks were not comprehensive enough to detect several vulnerabilities that surfaced later.
Audited, yet vulnerable
The distinction is significant. This was not a matter of lack of security testing, but rather the potential inadequacy of the security testing procedures for a portal managing such sensitive exam results.As cybersecurity professionals will attest, there is indeed a big difference between compliance testing and thorough security tests that simulate a realistic cyberattack scenario. In this case, it seems that even if an audit was performed on the portal, it did not undergo a thorough test.
The questions raised by an ethical hacker
One of the most talked-about aspects of the controversy is the role played by 19-year-old ethical hacker Nisarga Adhikary from West Bengal.The vulnerabilities reportedly identified by Adhikary, including alleged OTP bypass methods, examiner account access through a hardcoded master password and possible access routes to answer-sheet data, were later found to be broadly similar to issues observed during the IIT panel’s assessment.The larger concern is not that a young ethical hacker discovered these weaknesses. The concern is that vulnerabilities identified outside official security systems were not flagged during earlier audits. The episode has raised questions about how robust existing security review mechanisms really are.
Digitalisation brings new challenges
India’s education system has rapidly moved online over the past decade. Whereas the processes of examination, admission, evaluation, scholarship, and others were traditionally done manually, they can now be handled through digital channels.Whereas technologies have helped make these processes easy and fast, the case of OSM reveals how dangerous it becomes when there is no appropriate measure to match the digital expansion.The difference between examination systems and other commercial platforms is that while the failure of an e-commerce platform may cause inconveniences. A security lapse in an examination system can raise doubts about fairness, credibility and public trust.For students, parents and educators, confidence in the examination process is as important as the process itself.
Technology can be outsourced, accountability cannot
The OSM portal was developed and managed by Coempt Eduteck, the private technology company that has come under scrutiny following the controversy.However, as per the views expressed by the member of IIT panel, this seems to be not just the problem with one particular vendor.The government agencies prefer private companies for technological needs because building and maintaining such systems is not an easy task and requires technical expertise. The expert from the IIT panel admitted that it may be hard for CBSE to do all alone.But experts believe that even if the services are outsourced, there is no way to outsource accountability for proper functioning of such systems.
A temporary fix, not a permanent solution
Once these vulnerabilities were highlighted, representatives of IIT Madras and IIT Kanpur, along with CBSE and the Digital India Corporation, came together to look for weaknesses and develop another system of platforms for examiners.Currently, this new platform is being used for the process of verification and reevaluation. However, according to the representative from IIT, this can be considered “kind of patchwork,” implying that it could be a temporary solution.The above observation raises an important issue regarding how policymakers should view the upgrading process of critical systems of examinations. Should there always be a need to wait until something goes wrong before fixing it, or should a more strategic view of the issue be developed?That observation raises an important question for policymakers. Should critical examination infrastructure continue to be upgraded only after problems emerge, or is it time for a more comprehensive and future-ready approach to educational technology?
Security must be built in, not added later
One of the major recommendations expected from the IIT panel is the adoption of stronger cybersecurity practices before platforms are deployed.According to the panel member, systems of this scale should undergo vulnerability assessments, penetration testing and Red Team-Blue Team exercises designed to simulate real cyberattacks.These practices are standard in mature cybersecurity environments. Their purpose is simple: identify weaknesses before malicious actors can exploit them.The emphasis on such measures suggests that cybersecurity may not yet be fully embedded into the design process of some public digital platforms. Instead, it often receives attention only after concerns are raised.
No evidence of misuse, but concerns persist
The IIT panel member told ANI that investigators found no evidence that student records were leaked or misused.According to the assessment, the ethical hacker accessed and downloaded certain data but later deleted it, and there is no indication that examination records were distributed or exploited.That finding is likely to reassure students and parents. However, experts caution that the absence of actual damage does not eliminate concern. The larger issue is that vulnerabilities existed in a system handling highly sensitive academic information in the first place.
A wake-up call for public digital systems
The OSM controversy is about much more than one portal or one security audit. It highlights the challenges public institutions face as governance increasingly depends on digital infrastructure.As CBSE awaits the IIT panel’s final report, one message is becoming clear: Institutions must maintain stronger control over sensitive data and ensure that critical platforms undergo exhaustive security testing before they are rolled out.The lesson extends beyond the education sector. As more public services move online, trust in institutions will increasingly depend on the strength and reliability of the technology supporting them.The OSM episode serves as a reminder that in today’s digital world, security is not just a technical requirement. It is essential to maintaining public confidence in the institutions people rely on every day.(With inputs from ANI)