Job applications typically include a cover email and resume; In the case of 19-year-old Nisarja Adhikari, it was a blog post detailing vulnerabilities in the Central Board of Secondary Education’s on-screen portal.
Adhikari was appointed this week as an Open Source Intelligence (OSINT) and Threat Intelligence Architect at IIT Kanpur’s C3iHub Technology Innovation Centre.
IIT Kanpur director Manindra Agrawal said he reached out to Adhikary after reading the post, which was published on May 22.
“Nisarja Adhikari has been appointed as an engineer in our cybersecurity team. A few years ago, we had similarly appointed two young engineers to the same team. I am not sure if he is the youngest recruit at IIT Kanpur, but he is definitely among the youngest engineers to be appointed in the institute,” Agrawal added.
The weaknesses highlighted by Adhikary are just one thread in the controversy that has erupted over the adoption of screen tagging.
HT reports discovered that the process has been expedited. Worse still, with no bids for the first tender and the second unsuccessful, the technical standards were lowered for the third tender, which Coempt Edu Teck eventually won.
Read also: How a Class XII student became a techie at the age of 19 allegedly hacked the CBSE exam website
The HT report also discovered that the cybersecurity certificates provided by Coempt covered a different customer’s deployment of the same software but in a pre-production environment, and that another certificate was almost two years old.
At IIT Kanpur, Adhikary, who passed his Class 12 exams this year, will analyze actionable information from publicly available sources and identify vulnerabilities in websites and applications, helping organizations address and patch potential security flaws, officials said on Tuesday. He was appointed on a contractual basis as an engineer within the institute’s cybersecurity team.
“I am excited about this opportunity because it is the first time I will be working in a security-focused role,” Adhikari said. “In my previous jobs, I primarily worked as a software engineer, while cybersecurity was just a hobby.”
No one in his family works in cybersecurity and his parents work in the financial sector. “I started programming when I was six or seven years old, but I got seriously involved in cybersecurity and started participating in Capture the Flag (CTF) and other cybersecurity competitions when I was in sixth grade,” he said.
CTF (Capture the Flag) refers to game-based hacking contests or puzzles where participants test and develop their ethical hacking skills by legally discovering “flags” (hidden text strings) hidden within intentionally vulnerable software, websites, or networks.
Both Adhikary and IIT Kanpur officials declined to disclose his pay, though Adhikary indicated it was less than he expected.
Read also: ‘No security breach’: CBSE clarifies after Class 12 student claims ‘vulnerabilities’ in OSM portal
“The salary is good, but I was expecting a little more. I’m used to working on projects and with companies based in the US, and I miss the financial advantage that comes with earning in dollars due to the conversion of US dollars to Indian rupees,” he said.
Adhikary does not plan to enroll in college at the moment.
“I want to work on building on startups and products that people use,” he said. “I’m not very interested in academia.”
On the directions of Union Education Minister Dharmendra Pradhan on May 24, IIT Madras and IIT Kanpur deputed a four-member team of computer systems, operations and cybersecurity experts to help CBSE address glitches in the post-results services portal.
Agrawal, who was stationed at the CBSE headquarters in Delhi as part of the exercise, met Adhikari in the capital about two weeks ago.
“Adhikari is undoubtedly very talented, but he still has a lot to learn and develop. IIT Kanpur is offering him this opportunity. I believe he will do very well if he continues to work hard,” Agrawal said.
In his blog, Adhikari said he reported the vulnerabilities to Indian cybersecurity watchdog CERT-In on February 25. As HT reported on June 6, it identified five serious flaws in the OSM portal, including storing the master password in plaintext that allows users to bypass two-factor authentication entirely. He said he alerted CERT-In to these issues, but only one vulnerability was patched while the remaining flaws persisted until the portal was eventually removed.
Adhikari told HT that this will be his first job in an educational institute, though he has previously worked professionally with several startups.
