CBSE may penalise vendor over OSM flaws, blacklisting unlikely

THe exchange room of Secondary breeding (CBSE) testament penalise its on-screen grading (OSM) service provider Coempt Edu Teck for issues with online marking of Class 12 answer sheets, officials aware of the matter said on Sunday, after users on social media platform X flagged vulnerabilities in its answer script evaluation portal, prompting an acknowledgement from the agency.The Hyderabad-based company will be fined in line with penalty provisions detailed in its August 2025 tender document, said the officials.The tender, issued on August 28, provides for a raft of cascading financial penalties pinned on redressal timelines — including a fine of ₹1 lakh for every 15-minute delay in rectifying an issue after a CBSE official flags it to the helpdesk — blocked security deposits and contract terminations.Also read: 3 teens vs CBSE: How the Class 12 paper-checking system OSM blew up, and the board corrected, defended, counteredHowever, the contract does not contain provisions to blacklist the company for such lapses. Indeed, the blacklisting criterion made it into the August tender, but was removed in a corrigendum issued on September 20, 2025. Coempt Edu Teck was awarded the contract on December 5.Coempt Edu Teck did not respond to requests seeking comment.The development comes after 19-year-old ethical hacker Nisarga Adhikary in a post on X on Sunday alleged that answer sheets stored on an Amazon Web Services (AWS) bucket – a cloud storage container for files like documents, images, and data – were publicly accessible online.Also read: ‘Show the terrorists' faces!’: Rahul Gandhi meets Vedant, student at centre of CBSE row, mocks familiar insults“CBSE people didn’t configure their AWS bucket properly and now we can paginate & enumerate all their media which has 2026 answer sheets & question papers,” Adhikary said on X, while attaching screenshots of several answer copies.Nearly four hours later, the board said it had been “closely monitoring the vulnerabilities in the OnMark portal of our service provider that are being flagged in the public domain.”The board did not identify the service provider by name.“An expert team of cybersecurity professionals has been deployed over the last few days from across various arms of the government as well as the IITs to fortify these systems, including taking them over to a more secure set up. The identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out,” CBSE said.CBSE officials did not respond on record to HT’s queries on details related to vulnerabilities in the OSM system, penalties and the alleged extent of data breach.A CBSE official who asked not to be named acknowledged the vulnerabilities and confirmed that the contractor would be penalised.“The vulnerabilities identified by the board shows that the there was a data breach related to students data. In the tender rules, there are exhaustive provisions for imposition of penalty on the company if it is established that there were shortcomings within the ambit of scope of work. It is obvious that penalties will be imposed due to various issues, which we identified and now resolved,” said the official.Another CBSE official said the answer booklet was “not leaked”.“Our record is saying that the answer book has not leaked. The data is secure now and we have fixed and patched all the vulnerabilities. There is no vulnerability in the system now. We will compile data for all the issues in OSM including vulnerabilities in the portal and impose penalties in line with the tender rules and guidelines,” said the official, who also asked not to be named.Also read: After CBSE 'monitors' issues over OSM portal, hacker says 'my work is done'The August tender introduced Service Level Agreements (SLAs) — measurable performance standards that the vendor must meet during operations. It introduced penalties for two groups of errors – “critical mistakes”, which include information leaks, major lapses while scanning answer scripts and security lapses; and “other mistakes”, including loss of pages of answer books during scanning, data security breaches, variations in the data exported to CBSE.Under the agreement, corrective measures must be taken for each mistake identified, failing which a penalty of ₹1 lakh will be imposed for every 15 minutes of delay beyond the schedule prescribed by CBSE. Similarly, delays in submitting a root-cause analysis and corrective action plan attract a penalty of ₹1 lakh for every 60 minutes of delay. The contract also provides for a penalty of ₹5,000 for every 60 minutes of delay in providing onsite support, onboarding assistance, training manuals, hand-holding documents and user manuals required for the smooth functioning of CBSE operations.The tender also defines the trigger point to calculate delays. The SLA clock begins when a CBSE official either sends an escalation to the designated helpdesk email ID or lodges a complaint through the helpdesk. CBSE will calculate the SLA from the time the complaint is registered with the helpdesk or the time the escalation email is received, whichever occurs earlier, provided it falls within the helpdesk’s working hours.The September 2025 corrigendum, however, crimped CBSE’s right to blacklist offending vendors.A note in the August tender said, “The issue will be put in front of a committee as decided by CBSE. The committee may send a show cause notice for forfeiture for PBG [performance bank guarantee], Blacklisting and Termination of contract.”However, the corrigendum altered this.“The Note at page 131 of Tender Document is modified as ‘The committee may send show cause notice for forfeiture for PBG and Termination of contract’,” said the corrigendum.Additionally, a clause in the August tender which said, “If any of the mistake from “Other Mistakes” is repeated by bidder, then CBSE reserves the right for forfeiture for Security Deposit, Blacklisting and Termination of contract” was modified in the corrigendum.“If any of the mistakes from “Other Mistakes” is repeated by the bidder, then CBSE reserves the right for forfeiture for Security Deposit, and Termination of contract,” said the corrigendum.Adhikary told HT that the vulnerabilities in the Coempt portal were easily accessible.The root directory of the storage bucket — the top-level folder containing all stored files — was publicly accessible and could be listed without any authentication, he said.“The bucket root was publicly listable, meaning anyone on the internet could see the complete list of files and folders stored inside,” added Adhikary.