*.onmark.co.in) hosting at least 30+ institutions.Awarded the OSM contract to Coempt EduTeck via e-procurement on the Central Public Procurement portal (RFP floated 28 Aug 2025). Responsible for oversight of the evaluation pipeline for Class 10 and Class 12 board examinations. The platform hosted evaluation for 17,80,365 registered Class 12 students in 2026.
Examination integrity Data protection Procurement oversight
Received formal correspondence from the Internet Freedom Foundation (IFF) raising concerns about the CBSE OSM platform's security. Responsible for national examination policy and digital infrastructure standards for education.
Policy accountability
Notified by IFF regarding vulnerabilities in the CBSE OSM portal. CERT-In is mandated under Section 70B of the IT Act to coordinate cyber incident response for critical infrastructure. No public acknowledgment of action has been confirmed.
Cyber security response
Hyderabad-based EdTech company with 25+ years in examination solutions. Operates the OnMark platform at onmark.co.in. Products include OneX, Onmark, EzyTest, Learning, Digital Labs, and DigiTab. Company website at coempt.in. GitHub org: github.com/coempt (empty since 2020).
The company and its CEO were previously investigated in a 2019 Telangana case, reportedly cleared by courts. The current CBSE OSM contract was awarded in 2025.
Vendor accountability Code leak Due diligence
segrgokul (Hyderabad, likely K. Naga Raju) and viswanthp — published internal QA automation code and server-side source code to public GitHub repositories. The automation code references internal project codenames: GITA (likely Gujarat), KNR (Karnataka), NIZAM (Telangana), SCTEVT (State Council for Technical Education & Vocational Training).
Confirmed via SSL certificate transparency logs (crt.sh for *.onmark.co.in), GitHub source code references, and HTTP probing. Not all subdomains were live at time of verification.
| Entity | Subdomain | Source | Confidence |
|---|---|---|---|
| CBSE | cbseosm.onmark.co.in | Active, confirmed | ✅ Verified |
| CBSE | cbse.onmark.co.in | SSL cert + active | ✅ Verified |
| CBSE | cbseeval.onmark.co.in | SSL cert | ✅ Verified |
| Andhra Pradesh SBTET | sbtet.onmark.co.in | Server-side source leak (ASP.NET) | ✅ Verified |
| Bengaluru Central University | bcuosm.onmark.co.in | SSL cert + HTTP active | ✅ Verified |
| Karnataka State Women's University | kswuosm.onmark.co.in | SSL cert | ✅ Verified |
| Acharya Nagarjuna University | anu.onmark.co.in | SSL cert | ✅ Verified |
| JNTU (Jawaharlal Nehru Technological University) | jntu*.onmark.co.in | SSL cert | ✅ Verified |
| Gujarat board (GITA project) | Internal codename gita | GitHub automation code | ⚠️ Inferred |
| Karnataka evaluation (KNR project) | Internal codename knr | GitHub automation code | ⚠️ Inferred |
| Telangana / Nizam evaluation | Internal codename nizam | GitHub automation code | ⚠️ Inferred |
| State Council for Technical Education & VT | Internal codename sctevt | GitHub automation code | ⚠️ Inferred |
At least 30+ SSL certificates issued for *.onmark.co.in subdomains indicate the platform serves dozens of educational institutions. Every institution shares the same base platform code, meaning platform-level vulnerabilities affect all simultaneously.
Handwritten answer sheets were scanned and uploaded to the OnMark platform. The IDOR vulnerability in the answer-sheet PDF download endpoint means graded answer sheets — with marks, annotations, and evaluator comments — may have been accessible via sequential ID guessing.
Personal data exposure Academic integrity
Evaluator credentials (user IDs, school codes, passwords) were exposed through the vendor's public GitHub automation code. Evaluator photographs — used for exam-duty identity verification — were served via an unauthenticated API endpoint. Password changes required no old password verification.
Credential exposure Identity data
19-year-old ethical hacker who independently identified and disclosed critical vulnerabilities in the CBSE OSM portal in February 2026: authentication bypass, client-side OTP validation, hardcoded master password in the Angular bundle, password reset without old password, and IDOR. Published detailed writeup at ni5arga.com.
Researcher
Investigated the CBSE procurement process for the OSM contract. Published findings on GitHub revealing that CBSE had rewritten tender norms to favour Coempt EduTeck, including deletion of prior experience requirements that would have eliminated the vendor.
Researcher
Issued formal letter to the Ministry of Education and CERT-In demanding disclosure and action on the CBSE OSM vulnerabilities. Framed the issue as a national examination integrity concern. Published detailed article: "When the Exam Itself Can Be Hacked".
Advocacy
| GitHub Handle | Location | Repositories | What Was Leaked |
|---|---|---|---|
segrgokul | Hyderabad | KNR_Automation_Coempt, coempt_Automation | Selenium QA automation for 4 board instances (GITA, KNR, NIZAM, SCTEVT). Includes login flows, page object models matching live portal DOM, config with service URLs, Jenkins integration. |
viswanthp | India | AP_SBTET_AUDIT | Full server-side ASP.NET source code for AP State Board of Technical Education's OSM instance. Includes custom cryptography, payment integrations, authentication design. |
akhi101 | India | SBTET_AUDIT, sbtet_login_audit | Independent security audit repos targeting the AP SBTET instance. Archived but not analysed in depth. |
segrgokul's GitHub profile lists Hyderabad — Coempt EduTeck's headquarters. The repository names (KNR_Automation_Coempt) explicitly reference the company. The Selenium page-object models match the live CBSE OSM portal's exact DOM structure and Angular route paths (e.g., /cbseevalweb/).
| Publication | Angle | Link |
|---|---|---|
| Hindustan Times | Telangana firm Coempt EduTeck in focus amid CBSE OSM row; Rahul Gandhi | HT |
| Moneycontrol | Coempt CEO denies platform breach, cites 2019 Telangana case cleared by courts | Moneycontrol |
| Indian Express | CBSE Class 12 digital evaluation / OSM background | IE |
| Careers360 | CBSE OSM portal hacker Nisarga Adhikary — vulnerabilities explained | Careers360 |
| Free Press Journal | Meet Nisarga — the 19-year-old ethical hacker who flagged alleged CBSE portal issues | FPJ |
| MediNama | CERT-In and CBSE OSM portal vulnerabilities | MediNama |
| Domain | Purpose | Status |
|---|---|---|
onmark.co.in | Coempt's OnMark platform root | Active |
cbse.onmark.co.in | CBSE OSM evaluation portal | Active |
cbseosm.onmark.co.in | CBSE OSM production instance | Active |
cbseeval.onmark.co.in | CBSE evaluator interface | Active |
sbtet.onmark.co.in | AP State Board of Technical Education | Active (ASP.NET) |
bcuosm.onmark.co.in | Bengaluru Central University | Active (confirmed HTTP) |
coempt.in | Coempt EduTeck corporate site | Active (Angular SPA, JS-required) |
github.com/coempt | Coempt GitHub organization | Empty since 2020 |