Security Lapses: CBSE’s On-Screen Marking Platform Relied on Expired and Irrelevant Cybersecurity Certificates

Fresh scrutiny reveals that the firm Coempt Edu Teck provided outdated documentation to the Central Board of Secondary Education for its sensitive examination system.

The integrity of the Central Board of Secondary Education’s (CBSE) on-screen marking (OSM) platform has come under intense scrutiny following revelations that the cybersecurity certificates submitted by the vendor, Coempt Edu Teck, were both expired and misaligned with the actual deployment. Documents reviewed by the Hindustan Times indicate that the company successfully won a high-stakes tender to process nearly 10 million student answer scripts by relying on documentation that failed to reflect the specific security posture of the CBSE system.

A Mismatch in Validation

To satisfy stringent government procurement rules, vendors must present security audits from CERT-In empanelled firms. However, the certificates submitted by Coempt were significantly flawed. One document, issued by Prime Infoserv LLP in November 2023, was nearly two years old by the time it was submitted for the August 2025 tender. Furthermore, the certificate specifically covered a deployment for the Biju Patnaik University of Technology (BPUT) in Odisha, not the CBSE platform. Given that such certifications typically expire upon application changes or after one year, their use to validate a major national examination system raises serious questions regarding due diligence.

A second certificate, issued in October 2025 by A3S Tech & Company, further clouded the situation. It reportedly certified a different application named "OneX" rather than the "OnMark" software utilized by the CBSE. The assessment was performed on a pre-production staging environment for an entirely different client, leaving the actual production security of the CBSE platform unverified by the submitted documentation.

Vulnerabilities and Real-World Impact

The reliance on these documents is particularly concerning in light of the performance of the OSM platform between February and May 2026. During this period, the system—which was used to evaluate Class 12 answer scripts and manage post-result services—was reportedly plagued by a series of critical vulnerabilities. Cybersecurity researchers identified flaws that could have allowed unauthorized individuals to gain access as paper checkers, potentially exposing sensitive student marks and private answer scripts.

In some instances, these vulnerabilities were severe enough to grant access to critical databases. Sources have indicated that CERT-In, the national nodal agency for computer security, acknowledged several of these disclosures to a parliamentary panel. The gap between the "clean" certificates submitted by the vendor and the technical reality of the platform’s performance suggests a systemic failure in the procurement and oversight process for digital education infrastructure.

While the board manages millions of records, the use of irrelevant and lapsed security credentials highlights the risks inherent in digitizing large-scale assessments. As stakeholders demand greater transparency, the board faces pressure to explain how such documentation was accepted as proof of security for a platform handling the personal data of students across the country.