IIT Panel Flags Inadequate Testing In CBSE OSM Portal, Cites Security & Functional Assessment Gaps, Calls For Stronger Audits
· Free Press Journal
New Delhi: The On-Screen Marking (OSM) portal, used for evaluating the Class XII answer sheets of lakhs of students, was not "thoroughly" tested and did not undergo a "sufficient" assessment of its functionality, security vulnerabilities, and potential threats before deployment, a member of the IIT panel auditing the CBSE post-result ecosystem told ANI.
IIT panel to submit report soon
The IIT panel, constituted following the controversy surrounding the OSM portal, is expected to submit its report to the Education Ministry on its findings and recommendations in the coming days.
Visit somethingsdifferent.biz for more information.
Collaboration with IITs and agencies
Officials from IIT Madras and IIT Kanpur worked closely with the CBSE and other agencies like Digital India Corporation (DIC) to find out vulnerabilities in the CBSE post-exam ecosystem.
Development of a new portal
After identifying multiple vulnerabilities in the OSM portal, the IIT panel assisted in the development of a new examiner-facing portal using the base code of the now-discontinued system. The new portal is currently being used for the verification and re-evaluation of answer sheets.
Audit shortcomings of original portal
One of the key observations of the panel was that the original portal had undergone an audit, but the process was not comprehensive enough, and several critical vulnerabilities remained undetected.
"It was not thoroughly tested. It is not like it (the portal) was not tested, there was an auditor hired by CBSE who tested it and gave its go ahead and everything. But a thorough analysis was not done, that should have been done. The auditing was not sufficient," the member of the IIT panel told ANI on the condition of anonymity.
Private IT provider involvement
The portal was created and managed by a private IT service provider named Coempt Eduteck, which is at the centre of the Class XII result controversy.
Ethical hacker's findings
The IIT panel member referred to the findings of 19-year-old ethical hacker Nisarga Adhikary from West Bengal, who independently identified several vulnerabilities that were also observed during the IIT panel's assessment.
"The auditing was done, and some vulnerabilities were found, but several others were missed. Systems handling critical data require deeper and more rigorous security analysis," the panel member said.
Security flaws highlighted
Nisarga had highlighted severe flaws in the portal, including vulnerabilities that allowed OTP bypass, access to examiner accounts through a hardcoded master password, and potential access to millions of students' answer sheets.
I had hacked CBSE's OSM (On-Screen Marking Portal) in February and had reported the vulnerabilities to CERT-In, but they were unable to patch most of them.
— nisarga (@ni5arga) May 22, 2026
I've written a detailed blog post about it here: https://t.co/qyT23GkTEJ
Advanced security practices recommended
Explaining the kind of security assessment required for such sensitive platforms, the IIT panel member said that advanced security practices, including vulnerability assessment, penetration testing, and Red Team-Blue Team exercises, should be carried out to stress-test the system's defences.
"Cybersecurity operations involve offensive and defensive functions. There are Red Teams and Blue Teams that attempt to identify weaknesses and strengthen the system. All these mechanisms need to be employed to thoroughly examine a platform of this scale," the member said.
Recommendations for multi-layered audits
The recommendation for deeper and multi-layered security audits of sensitive digital platforms will be part of the IIT panel's report to the ministry.
"Portals that are exposed to the external world need to be thoroughly tested for functionality, threats and security. We will be giving these recommendations more specifically in our report," the panel member said.
No evidence of data misuse
The member also clarified that while the ethical hacking incident exposed serious vulnerabilities, there was no evidence to suggest that student records had been leaked or misused.
"I spoke to Nisarga. He was able to download some data, but deleted it. We have not observed any evidence of records being leaked outside. It was an ethical hack," the member said.
'Pradhan Shamelessly Digging His Heels; Why Is PM Protecting Him?': Congress Leader Jairam Ramesh On CBSE's OSM RowNew portal not a long-term solution
When asked whether the newly developed portal could be used for the next examination cycle, the IIT panel member described it as "a kind of patchwork" and indicated that a more robust and long-term solution would be required.
CBSE cannot work entirely in-house
On the lessons for the future and whether CBSE can conduct the entire digital evaluation process in-house without involving private vendors, the member said that the Board currently does not have the required technical expertise to independently build and manage such large-scale systems and would need to engage external agencies.
"CBSE cannot do everything in-house and completely avoid involving third parties. It does not have that level of expertise. They need to engage with specialised organisations," the member said.
Control over data is crucial
The panel member stressed that the most important lesson from the OSM controversy was that CBSE must retain greater control over its data and ensure that any platform handling sensitive examination records undergoes a comprehensive security assessment before deployment.
"The first thing needed is that CBSE should have control over the data. There has to be a thorough security analysis, which was not done adequately in this case," the member said.
(Except for the headline, this article has not been edited by FPJ's editorial team and is auto-generated from an agency feed.)