Days after exposing major cybersecurity vulnerabilities in the Central Board of Secondary Education’s (CBSE) On-Screen Marking (OSM) portal, 19-year-old ethical hacker Nisarg Adhikary has been recruited by the Indian Institute of Technology (IIT) Kanpur’s cybersecurity hub, C3iHub .
Adhikary will join as an Open-Source Intelligence (OSINT) and threat intelligence engineer, focusing on identifying vulnerabilities in websites and applications and helping organizations address potential security flaws .
How a blog post led to the job offer
Adhikary did not submit a conventional job application. Instead, he wrote a blog post on May 22 detailing critical security gaps in the CBSE’s OSM portal .
The post caught the attention of IIT Kanpur’s Director, Manindra Agrawal, who was stationed at CBSE headquarters in Delhi following directions from Union Education Minister Dharmendra Pradhan to help address technical glitches in the board’s examination systems .
After meeting Adhikary in Delhi, Agrawal offered him the position. “Adhikary is undoubtedly very talented, but he still has a great deal to learn and further develop his capabilities. IIT Kanpur offers him that opportunity,” Agrawal said .
This is not the first time the institute has recruited young engineers. “A few years ago, we had similarly recruited a couple of young engineers for the same team. I am not sure whether he is the youngest recruit at IIT Kanpur, but he is certainly among the youngest engineers to have been hired by the institute,” Agrawal added .
The vulnerabilities Adhikary uncovered
Adhikary had flagged five critical flaws in the CBSE’s OSM portal, including the storage of a master password in plain text that would allow users to bypass two-factor authentication entirely .
He also claimed he could change teacher names, roll numbers, and bank details on the portal, and warned that unauthorized individuals could download answer sheets from the system . He also discovered that he could “paginate and enumerate” answer sheets and question papers, noting that “anyone on the Internet can download any scanned booklet — across institutions” .
Adhikary said he reported these vulnerabilities to India’s cybersecurity watchdog CERT-In on February 25, but only one vulnerability was patched while the remaining flaws persisted until the portal was eventually taken down .
A self-taught coder with big ambitions
Adhikary told Hindustan Times that he started coding at age six or seven and became seriously involved in cybersecurity around Class 6, when he began participating in Capture the Flag (CTF) competitions—gamified hacking exercises that test ethical hacking skills .
No one in his family works in cybersecurity; both his parents are in the finance sector .
“I am excited about this opportunity because it is the first time I will be working in a security-focused role. In my earlier jobs, I primarily worked as a software engineer, while cybersecurity was more of a hobby,” he said .
Although Adhikary cleared his Class 12 exams this year, he has no immediate plans to enroll in college. “I want to work on building startups and products which people use. I am not much interested in academia,” he said .
Other students also flagged irregularities
Adhikary is not the only young researcher who exposed problems with the CBSE’s digital evaluation system.
Eighteen-year-old Vedant Srivastav discovered that the scanned copy of his answer sheet did not belong to him. After he raised the issue publicly, CBSE eventually admitted to the error .
Twenty-two-year-old Tirth Parmar found similar security issues on the site, including the ability to access user passwords and manipulate database information .
Meanwhile, 18-year-old Sarthak Sidhant made public documents showing how CBSE had eased technical criteria to award the tender to a Hyderabad-based company, Coempt Edu Teck, which had a history of unsuccessfully implementing the same OSM system in Telangana in 2019 .
The bigger picture: Who flagged the flaws?
| Researcher | Age | Key Finding |
|---|---|---|
| Nisarg Adhikary | 19 | Master password stored in plain text, 2FA bypass, downloadable answer sheets |
| Vedant Srivastav | 18 | CBSE admitted his scanned answer sheet did not belong to him |
| Tirth Parmar | 22 | Accessed user passwords and database, could manipulate data |
| Sarthak Sidhant | 18 | Exposed tender document showing relaxed criteria for Coempt |
At C3iHub, Adhikary will now work on safeguarding national critical infrastructure, conducting vulnerability assessments, and contributing to India’s cybersecurity ecosystem—making him one of the youngest engineers to join an IIT’s core research team .
