Independent security audit of CBSE’s OSM portal sought
1. At a Glance
- CBSE deployed a mandatory On-Screen Marking (OSM) digital evaluation system, "OnMark," for Class 12 answer scripts in the 2026 board exam cycle, outsourced to private vendor Coempt EduTeck Pvt. Ltd. [S1][S2]
- Digital rights body Internet Freedom Foundation (IFF) has demanded an independent, third-party security audit of the OSM portal and public disclosure of its executive summary, citing unpatched vulnerabilities and mass student complaints. [S3]
- Tests a UPSC aspirant's grasp of e-governance in education, data protection, vendor accountability, and CERT-In's cybersecurity mandate — a live GS-II/GS-III governance-tech crossover issue.
2. Why in the News
- 9 February 2026: CBSE circular mandates OSM for Class 12 answer books, run on vendor Coempt EduTeck's "OnMark" platform. [S2]
- 13 May 2026: Class 12 results announced; widespread complaints of blurred scans, missing/mismatched answer sheets, unmarked answers, and anomalous marks in core subjects. [S2]
- A teenage ethical hacker (Nisarga Adhikary) publicly disclosed SQL injection and authentication-bypass flaws allowing full examiner account takeover, reported earlier to CERT-In (Feb 2026), left unpatched for nearly three months. [S1]
- 28 May 2026: IFF's letter to the Ministry of Education and MeitY seeking an independent security audit is reported by The Hindu. [Article]
3. Background & Evolution
- OSM (on-screen/digital) evaluation replaces manual paper-based marking: physical answer scripts are scanned and marked digitally by examiners on a portal. [S2]
- CBSE contracted a private tech vendor (Coempt EduTeck Pvt. Ltd.) to build/operate the underlying OnMark infrastructure rather than an in-house or government system. [S1][Article]
- Following disclosure of vulnerabilities, CBSE stated it deployed cybersecurity experts from government agencies and IITs (reported: IIT Madras, IIT Kanpur) to contain the flaws and strengthen the portal. [S1]
- Controversy escalated with allegations CBSE circulated a "communication toolkit" pressuring school principals to post coordinated social-media defenses of OSM. [S2]
4. Core Static Facts
| Item | Detail |
|---|---|
| System | On-Screen Marking (OSM) / "OnMark" application |
| Vendor | Coempt EduTeck Pvt. Ltd. (private) |
| Implementing body | Central Board of Secondary Education (CBSE) |
| Nodal ministry | Ministry of Education (School Education & Literacy Dept.) |
| Cyber nodal agency involved | CERT-In (Indian Computer Emergency Response Team), under MeitY |
| Circular date | 9 February 2026 |
| Applicable class | Class 12 board examination answer scripts |
| Result date | 13 May 2026 |
| Key vulnerabilities reported | SQL injection; authentication bypass leading to examiner account takeover [S1] |
| Complainant/advocacy body | Internet Freedom Foundation (IFF); also SFLC.in filed a separate representation [S3][S4] |
| Demand | Independent audit by an auditor not previously engaged by CBSE/vendor; public executive summary [Article] |
5. Multi-Dimensional Analysis
- Governance/Ethical: Outsourcing sensitive examination data (scanned answer scripts, student PII) to a private vendor without apparent independent security vetting raises accountability and transparency concerns; IFF specifically demands an auditor with no prior CBSE/vendor engagement to avoid conflict of interest. [Article]
- Legal/Constitutional: Touches data protection obligations relevant under the Digital Personal Data Protection (DPDP) framework and CERT-In's statutory incident-reporting mandate for critical digital infrastructure. [S1]
- Administrative: Exam-body-vendor contract management failures — vulnerabilities reported in February remained unpatched through result declaration in May, exposing gaps in CBSE's IT procurement and incident-response protocols. [S1]
- Social: Direct impact on lakhs of Class 12 students' academic and career trajectories due to alleged wrong marks, mismatched sheets, and eroded trust in board evaluation integrity. [S2]
- Scientific/Technological: Highlights risks of rapid digitisation of high-stakes public examination infrastructure without adequate penetration testing, patch management, and access controls before mass rollout. [S1]
- Institutional response: CBSE's reactive deployment of IIT-affiliated cybersecurity experts post-disclosure, rather than pre-deployment audit, illustrates a "patch-after-breach" governance pattern. [S1]
6. Recent Developments (last 12-18 months)
- Feb 2026: CBSE mandates OSM rollout for Class 12 evaluation via OnMark/Coempt EduTeck. [S2]
- Feb 2026: Ethical hacker discloses SQL injection/auth-bypass vulnerabilities to CERT-In. [S1]
- 13 May 2026: Results declared; mass complaints of scan/marking errors surface, including a viral case of a mismatched answer sheet (Vedant Shrivastava). [S2]
- May 2026: CBSE admits security gaps; deploys IIT Madras/IIT Kanpur experts and government cyber agencies to contain flaws. [S1]
- 28 May 2026: IFF formally writes to Ministry of Education and MeitY demanding an independent, vendor/board-unaffiliated security audit with public disclosure of findings. [Article]
7. Prelims Hooks
- OSM stands for On-Screen Marking; the CBSE application is branded "OnMark."
- OSM was mandated for Class 12 answer scripts via a CBSE circular dated 9 February 2026.
- Vendor providing OSM tech infrastructure: Coempt EduTeck Pvt. Ltd. (private company, not a government agency).
- CBSE Class 12 results for the 2026 controversy year were declared on 13 May 2026.
- Digital rights body demanding the audit: Internet Freedom Foundation (IFF).
- IFF's letter was addressed to the Ministry of Education and the Ministry of Electronics and Information Technology (MeitY).
- Reported vulnerabilities included SQL injection and an authentication bypass enabling examiner account takeover.
- CERT-In (Indian Computer Emergency Response Team) is the nodal cyber-incident agency that received the vulnerability disclosure.
- CBSE reportedly engaged experts from IIT Madras and IIT Kanpur post-controversy to strengthen portal security.
- Another legal/digital-rights body, SFLC.in, separately filed a representation on OSM portal vulnerabilities.
- IFF's specific ask: audit by a party not previously engaged by CBSE or the vendor, with the executive summary made public.
8. Mains Relevance
- GS-II: Governance — transparency, accountability, e-governance applications, citizen charters, and data protection; Government policies/interventions for development in sectors like education.
- GS-III: Science & Technology — cybersecurity, IT/data protection issues; role of CERT-In and critical information infrastructure protection.
- Plausible question stems: 1. "Examine the governance risks associated with outsourcing critical public examination infrastructure to private vendors, with reference to the CBSE On-Screen Marking (OSM) portal controversy." (GS-II) 2. "Discuss the significance of independent, third-party cybersecurity audits for e-governance platforms handling sensitive citizen data. What safeguards should be institutionalised?" (GS-III) 3. "Digitisation of examination evaluation systems promises efficiency but exposes new vulnerabilities. Critically analyse in light of recent controversies in India." (GS-II/III)
9. Related Topics to Study Next
- Digital Personal Data Protection (DPDP) Act, 2023 — governs handling of student PII on such portals.
- CERT-In and its 2022 cybersecurity directions — mandatory incident reporting timelines for entities like CBSE/vendors.
- National Cyber Security Policy/Strategy — broader framework for critical digital infrastructure protection.
- PPP models in e-governance — accountability challenges when private vendors run public service digital infrastructure.
- NEP 2020 and digital education initiatives — context for CBSE's push toward digitisation.
- Right to Education / examination reforms — student rights vis-à-vis evaluation errors and re-evaluation mechanisms.
- Ethical hacking and responsible disclosure norms in India — role of independent researchers (as in this case) in flagging government system flaws.
10. Common Errors / Trap Areas
- Do not confuse CBSE (an autonomous body under the Ministry of Education) with NCERT — CBSE conducts exams; NCERT designs curriculum/textbooks.
- Do not attribute vendor "Coempt EduTeck" as a government/PSU entity — it is a private company.
- Distinguish CERT-In (technical cyber incident response, under MeitY) from NCIIPC (protects critical infrastructure, under NSCS) — CERT-In is the body referenced here.
- Do not confuse this year's controversy with any earlier CBSE paper-leak episodes (e.g., 2018 leak) — this is specifically a digital evaluation/OSM portal security issue, not a paper leak.
- IFF and SFLC.in are separate digital rights organisations that filed distinct but related representations — don't merge their asks into one.
11. Sources
- [Article] Independent security audit of CBSE's OSM portal sought — The Hindu — https://www.thehindu.com/todays-paper/2026-05-28/th_international/articleGKCG1N9EC-14741324.ece — (tier: 4)
- [S1] CBSE OSM Controversy Explained: Board Admits Security Gaps After On-Screen Marking Portal Hack — Gulf News — https://gulfnews.com/uae/education/cbses-osm-controversy-explained-why-the-board-admits-security-gaps-after-portal-was-hacked-1.500558632 — (tier: 4)
- [S2] 2026 CBSE On-Screen Marking controversy — Wikipedia — https://en.wikipedia.org/wiki/2026_CBSE_On-Screen_Marking_controversy — (tier: 4)
- [S3] When the exam itself can be hacked: IFF writes to the Ministry of Education and CERT-In on the CBSE On-Screen Marking disclosure — Internet Freedom Foundation — https://internetfreedom.in/when-the-exam-itself-can-be-hacked-iff-writes-to-the-ministry-of-education-and-cert-in-on-the-cbse-on-screen-marking-disclosure/ — (tier: 4)
- [S4] SFLC.in's Representation on Security Vulnerabilities in CBSE's OSM Portal — SFLC.in — https://sflc.in/sflc-ins-representation-on-security-vulnerabilities-in-cbses-osm-portal/ — (tier: 4)