The Central Board of Secondary Education (CBSE) is set to penalise Hyderabad-based technology vendor Coempt Edu Teck Pvt. Ltd. following the discovery of vulnerabilities in its On-Screen Marking (OSM) platform, used to digitally evaluate Class 12 board examination answer sheets.

The controversy escalated after 19-year-old ethical hacker Nisarga Adhikary alleged on social media platform X that answer scripts and related examination data stored on an Amazon Web Services (AWS) bucket were publicly accessible due to improper configuration.

CBSE subsequently acknowledged vulnerabilities in the vendor's OnMark portal, deployed cybersecurity experts from government agencies and Indian Institutes of Technology (IITs), and stated that the identified weaknesses had been contained.

While board officials have maintained that answer books were not "leaked" and that student data is now secure, they confirmed that penalties would be imposed on the contractor under the Service Level Agreement (SLA) provisions of the tender.

However, despite public criticism and concerns over data security, blacklisting the company appears unlikely because relevant provisions allowing blacklisting were removed through a corrigendum issued before the contract was awarded.

Security Flaws Trigger Questions

The OSM platform was introduced as part of CBSE's effort to modernise the evaluation of Class 12 board examinations by digitising answer-sheet assessment. The system involved scanning answer books and enabling evaluators to mark them remotely through a centralised online platform.

However, concerns emerged soon after implementation, with students reporting blurred scans, missing pages, answer-sheet mismatches, delayed access to scanned copies and technical glitches.

The controversy deepened when Adhikary alleged that publicly accessible cloud storage could allow unauthorised users to browse and view answer-sheet files.

Sharing screenshots online, he claimed that the root directory of the AWS bucket was "publicly listable", enabling anyone to enumerate stored content without authentication.

Responding to growing public concern, CBSE said it had been "closely monitoring the vulnerabilities in the OnMark portal of our service provider that are being flagged in the public domain."

The board added that cybersecurity professionals had been deployed to strengthen the infrastructure and migrate systems to a more secure environment.

A CBSE official, speaking on condition of anonymity, acknowledged the vulnerabilities and said the vendor would face penalties under tender provisions.

"The vulnerabilities identified by the board show that there was a data breach related to students' data. It is obvious that penalties will be imposed due to various issues, which we identified and have now resolved," the official said.

Another official maintained that answer books had not been leaked, stating that the board's records indicated that examination data remained secure and that all identified vulnerabilities had been patched.

Tender Rules Under Spotlight

Beyond the cybersecurity concerns, the episode has also drawn attention to the contractual framework governing CBSE's digital evaluation initiative. The August 2025 tender for the OSM project introduced detailed Service Level Agreements that prescribed penalties for information leaks, security lapses, scanning errors and operational failures.

Under the agreement, vendors can be fined ₹1 lakh for every 15-minute delay in addressing critical issues after they are reported by CBSE officials, while delays in submitting root-cause analyses and corrective action plans can attract similar penalties every hour.

Additional fines are applicable for delays in providing technical support, training materials and operational assistance. However, scrutiny has intensified over changes made to the tender before the contract was awarded.