India’s Central Board of Secondary Education (CBSE) has refuted allegations that its marking portal was compromised, issuing a formal statement even as an ethical hacker claims to have identified critical vulnerabilities in the system and reported them to the government’s cybersecurity agency CERT-In in February.
The dispute centres on the security of CBSE’s digital infrastructure used to process examination marks for millions of students across India. The ethical hacker’s disclosure, which predates the board’s denial, represents a significant concern for educational technology systems handling sensitive student data. CERT-In, the Indian Computer Emergency Response Team operating under the Ministry of Electronics and Information Technology, received the vulnerability report months before the board’s public statement, according to the hacker’s account.
The timing and nature of the disagreement highlight a persistent tension in cybersecurity disclosure practices: the gap between when technical vulnerabilities are identified by independent researchers and when affected organizations publicly acknowledge them. Educational institutions in India, like many public sector agencies, have faced increasing scrutiny over the robustness of their digital systems. The marking portal in particular processes confidential examination results and administrative data affecting students, teachers, and institutional records nationwide.
The ethical hacker’s claim that vulnerabilities were exposed underscores specific technical weaknesses that, if exploited, could theoretically allow unauthorized access to the portal’s systems. By reporting to CERT-In rather than directly compromising data or causing public disruption, the researcher followed responsible disclosure protocols—a practice endorsed by cybersecurity professionals globally. CERT-In’s involvement suggests the government took the report seriously enough to engage with the affected organization.
CBSE’s categorical denial raises questions about what specific vulnerabilities were identified, whether they have since been patched, and what security measures were already in place when the report reached CERT-In. The board did not provide detailed technical information about its remediation efforts or timeline for addressing identified issues. Educational stakeholders—including school administrators, teachers, and parents—depend on the integrity of such systems, making transparency about both problems and solutions essential to maintaining institutional trust.
The incident reflects broader challenges in India’s educational technology infrastructure as digitalization accelerates. CBSE administers examinations for millions of students annually, making its systems critical national infrastructure. A genuine compromise of the marking portal could affect academic records, admission decisions, and scholarship eligibility for students. The stakes extend beyond individual institutions to the credibility of the examination system itself.
The path forward likely involves technical audits, clarification from CERT-In about its assessment of the reported vulnerabilities, and potentially independent security reviews of CBSE’s digital systems. Whether the board’s denial stems from successful remediation, a disagreement over severity, or technical disagreement about vulnerability validity remains unclear. Educational institutions across India will be watching closely—the resolution of this dispute could establish precedents for how public sector agencies handle cybersecurity disclosures and whether responsible researchers feel incentivized to report vulnerabilities through official channels rather than seeking public attention.
