The cybersecurity certifications accepted by the Central Board of Secondary Education as evidence that the controversial On-Screen Marking (OSM) platform was safe to process nearly 10 million student answer texts, covered a different customer’s deployment of the same software that had been tested in a pre-production environment and, in one case, was almost two years old when introduced, a review of the documentation by HT has found.
The certificates from Coempt Edu Teck, seen by HT, were part of the third bid for the OSM system which the company successfully won. Its contents gain importance given what has since emerged about the actual security of the platform. Between February and May 2026 – while the OSM system was being used to assess Class 12 answer books and then to host post-results services – cybersecurity researchers reported a series of critical vulnerabilities that potentially allowed unauthorized access such as paper checkers, exposed student marks, answer scripts and, in one case, could lead to access to important databases. CERT-In admitted at least some of these disclosures to a parliamentary committee, according to people familiar with the matter who spoke to HT on condition of anonymity.
What the certificates cover
Coempt provided two security certificates to meet the cybersecurity requirements of the August 2025 tender. Both were issued by CERT-In Certified Companies – government procurement rules require certification.
The first, issued by Prime Infoserv LLP in November 2023, certified that bput.onmark.co.in – the OnMark deployment of Biju Patnaik University of Technology in Odisha – was free of vulnerabilities as of this assessment. By the time Coempt submitted it to CBSE tender in August 2025, it was almost two years old. The condition of validity of the certificate states that it expires upon change of application or after one year.
The second release, released by A3S Tech & Company in October 2025, sees an app called OneX – not OnMark – tested against a BPUT test domain and a pre-production staging URL. The certificate clearly states that the audited content was based on a “temporary application version” and recommends that hardening of the production server should be performed – an acknowledgment, in the certificate itself, that the production environment was not what was tested.
Neither certificate mentioned the URL or that the postings examined were related to CBSE (unlike mentioning BPUT).
The platform these certificates were supposed to guarantee was later found to have a series of serious security flaws.
The cybersecurity flaws were first reported on February 25 by Nisarga Adhikary, an amateur researcher who had just taken his Class 12 exams.
He found five critical vulnerabilities in the OSM portal — including a plaintext master password that bypassed two-factor authentication entirely — and reported them to CERT-In. Only one was corrected. The rest continued until the gate was removed.
A more significant breach occurred on May 29.
Tirth Parmar, a second researcher, found that the portal’s login page had been created with a basic coding error that left it vulnerable to what’s known as a SQL injection attack — a technique so basic that it has topped global lists of critical web security flaws for years. Parmar said the flaw eventually allowed him admin-level access to hundreds of database tables containing student grades, answer texts, resident personal and banking details, and eventually accessing code files where he found encrypted passwords, which are credentials baked directly into the software rather than securely stored. He confirmed that the same passwords were being reused across other exam board clients at Coempt.
In other words, one point of entry opened multiple doors. “The master server also appears to contain credentials and configuration references to other databases, including those associated with other organizations. This indicates poor segregation between client environments and mishandling of sensitive credentials,” Parmar told HT. “In my view, this was a major failure by the company that developed and managed the software, as it potentially put many customers and their sensitive data at risk.”
In his May 30 post on
Prime Infoserve and A3S did not respond to HT’s questionnaire seeking more details on their adoption of the tools according to documents provided by Coempt. CBSE did not respond to requests for comment
Whether Coempt presented it as a deliberate representation that it covered the CBSE rollout, or on the assumption that the cross-platform certification was transferable across client instances, is a question the company has not answered.
But certificates also raise questions about security vetting. The Prime Infoserv certification, issued in November 2023, explicitly states that the audited system has been certified to the “OWASP Top 10 and SANS Top 25 Benchmark” standards. SQL injection – the vulnerability exploited by Parmar – is the first item on the OWASP Top 10 list, a globally recognized checklist of the most significant security risks for web applications.
A cybersecurity professional in the banking, financial services and insurance (BFSI) sector familiar with the details of the certificates expressed surprise at the contents and said it was not what these audit reports would appear to be. “It goes against standard practice,” he said, adding that such documents are usually intended to carry more detailed details about the tests performed, methodologies, risk assessments, treatments and re-evaluations after repairs. “It is not a general final certificate.”
One of many
Certifications are the latest chapter in a buying and selling process whose track record, compiled across HT Reports, traces a steady arc: standards set, then lowered; Warnings issued, then ignored.
CBSE floated the first OSM tender in February 2025. No company applied. The second round in May sparked responses, but no company passed the technical round. The third came in August – the minimum scanning resolution dropped from 300 dpi to 200 dpi, automated scanner requirements were eliminated, and software maturity certification was lowered from the highest international level to the midpoint. The contract went to Coempt on December 5. Class 12 exams began after 74 days.
The governing body of the Board has recommended a pilot rollout in all 22 regional offices before any nationwide rollout. None of them were detained.
Since the controversy erupted, the government has fired top CBSE officials. A single-member government committee was appointed to examine the procurement process. The IIT team was brought in to stabilize the system.
