The Indian Institute of Technology (IIT) Kanpur has hired 19-year-old ethical hacker Nisarga Adhikary at its premier cybersecurity hub, C3iHub. The recruitment follows Adhikary's high-profile exposure of critical cybersecurity flaws in the Central Board of Secondary Education's (CBSE) newly launched digital On-Screen Marking (OSM) portal.
KANPUR, India — The Indian Institute of Technology (IIT) Kanpur has officially hired 19-year-old ethical hacker Nisarga Adhikary to join its premier national cybersecurity hub. The recruitment follows days after Adhikary successfully flagged critical security vulnerabilities in the Central Board of Secondary Education’s (CBSE) digital On-Screen Marking (OSM) evaluation portal.
Adhikary has joined the institute's specialized C3iHub as a full-time Open-Source Intelligence (OSINT) and threat intelligence engineer. The proactive hiring decision highlights a major shift in how premier national institutions engage with independent security researchers to defend public data systems and strengthen critical digital infrastructure against emerging threats.
Technical Disclosures Trigger Rapid Academic Recruitment
According to details confirmed by senior administrative officials at IIT Kanpur, Adhikary was brought into the fold following an extensive technical evaluation of his independent findings. Operating as an independent researcher, the teenager discovered a critical master password embedded directly within the frontend code of the CBSE OSM portal. This systemic flaw allowed users to bypass mandatory One-Time Password (OTP) verification steps, granting unauthorized entry into the evaluation dashboard with the potential to alter student marks.
The technical exposure coincided with widespread student complaints regarding blurred scanned pages, missing answer sheet segments, and severe evaluation anomalies during the calculation of this year's Class 12 board examination results.
Recognizing the severity of the threat, the Ministry of Education deployed an elite joint task force consisting of computer scientists from IIT Kanpur and IIT Madras to step in, stabilize the compromised network, and audit the platform. Impressed by the precision of the teen's diagnostic methodology, the leadership team at IIT Kanpur's cybersecurity foundation extended a formal employment offer.
Strategic Integration into India's National Cyber Defense
At the university, Adhikary is being integrated into the IHUB NTIHAC Foundation (C3iHub). Established as a Section-8 non-profit company under the Government of India’s National Mission on Interdisciplinary Cyber-Physical Systems, C3iHub functions as a primary line of defense for safeguarding country-wide critical infrastructure and identifying digital vulnerabilities.
The teen specialist has been assigned to the center's core Vulnerability Assessment and Penetration Testing (VAPT) wing. Cybersecurity experts note that his technical focus will center on identifying architectural flaws in state-vetted software before they can be exploited by malicious actors.
Furthermore, an expert panel investigating the breach reported that modern artificial intelligence tools—specifically Anthropic’s Claude—were used by researchers to accelerate the detection of the portal's security loopholes. This discovery underscores the urgent need for institutions to hire agile, tech-native talent capable of navigating AI-driven security environments.
Broader Impact on Procurement Policy and Public Trust
The incident and the subsequent hiring have driven widespread systemic updates across India’s educational and technology sectors:
For Students and Citizens: The intervention of premier IIT experts has restored baseline transparency, ensuring that re-evaluation portals are fully secure and that student data remains free from manipulation.
For Private Technology Vendors: The expert audit revealed that Coempt Eduteck, the private vendor initially contracted by CBSE to run the platform, lacked adequate conceptual understanding of secure portal architecture. As a result, the government canceled the firm's panel status for the upcoming re-evaluation cycles.
For Data Privacy: With help from the Ministry of Electronics and Information Technology (MeitY), all sensitive candidate records have been migrated from private vendor servers to secure, government-controlled cloud nodes on Amazon Web Services (AWS) India.
Official Sources Section
The information, institutional mandates, and engineering updates detailed in this news report are compiled directly from the following official channels:
Operational frameworks and organizational charters published by the IIT Kanpur C3iHub.
Policy directives and inquiry updates issued by the Ministry of Education and Union Education Minister Dharmendra Pradhan.
Incident review logs monitored by the Indian Computer Emergency Response Team (CERT-In) and MeitY.
Quote Section
"According to officials familiar with the induction, Adhikary joined the C3iHub team on June 9. He is slated to deploy his practical experience directly within the automated threat intelligence and vulnerability assessment domains, with doors potentially opening for additional independent ethical hackers."
— Senior Cybersecurity Hub Administrator, via institutional brief
"No student will suffer injustice. We have brought in the absolute best minds from IIT Kanpur and IIT Madras to rigorously audit the system, secure the data, and rectify any underlying software errors."
— Dharmendra Pradhan, Union Minister of Education, during a public address
Why It Matters
For young technology enthusiasts and self-taught programmers, this development establishes a powerful precedent: Indian academia is proving willing to bypass rigid traditional hiring degrees to onboard non-traditional, highly skilled talent into critical national security positions. For the broader public, the aggressive transition toward strict third-party security audits ensures that the massive digital transformation of national examination systems is paired with robust defense standards, safeguarding the privacy of millions of citizens.
Key Facts at a Glance
Talent Onboarded: IIT Kanpur has hired 19-year-old independent ethical hacker Nisarga Adhikary into its elite national cybersecurity hub, C3iHub.
Flaws Exposed: Adhikary identified a critical frontend vulnerability in the CBSE On-Screen Marking (OSM) system that allowed users to bypass OTP verification screens.
AI Assistance: A technical review panel verified that advanced AI tools were utilized to pinpoint the coding defects in the vendor's software architecture.
Vendor Dropped: Following an independent audit by IIT experts, the private edtech firm responsible for the portal was stripped of its contract for the re-evaluation phases.
Data Secured: All student records have been shifted to government-vetted cloud segments monitored by MeitY and CERT-In.
FAQ Section
Why did IIT Kanpur hire a teenager for its cybersecurity hub?
IIT Kanpur recruited 19-year-old Nisarga Adhikary because he successfully discovered and flagged severe architectural flaws in the CBSE's digital On-Screen Marking portal, displaying elite talent in threat intelligence.
What specific vulnerability did Nisarga Adhikary find in the CBSE portal?
He discovered an exposed master password within the website's frontend code. This flaw allowed individuals to bypass the mandatory One-Time Password (OTP) verification stage and gain direct unauthorized access to the evaluation dashboards.
What is the role of C3iHub at IIT Kanpur?
The C3iHub at IIT Kanpur is a premier national cyber security center set up under the National Mission on Interdisciplinary Cyber-Physical Systems. It focuses on testing vulnerabilities, protecting national critical infrastructure, and incubating security technologies.
What changes did the government make to the CBSE system following this exposure?
The government dropped the private platform vendor, Coempt Eduteck, due to inadequate security architecture. Additionally, they moved all candidate data to government-controlled secure cloud servers with support from MeitY.
Were any student marks or records permanently altered during this controversy?
According to statements from the Ministry of Education and the IIT audit teams, the vulnerabilities were intercepted and corrected during testing phases. The data remained in read-only segments, preventing any unauthorized alteration of official exam scores.
Source: IIT Kanpur Institutional Portal, C3iHub Security Research Foundation, Ministry of Electronics and Information Technology (MeitY) Press Archive.
