Industry2026-06-11·8 min read

CBSE's OSM Data Sprint: When a Board Had to Reclaim Its Own Exam Records

How CBSE migrated Class 12 answer-sheet data from a private vendor to its own servers — and what the IIT Kanpur red-team, blue-team security sprint reveals about data custody in digital evaluation.

A Board Without Its Own Data

When CBSE's Class 12 On-Screen Marking system collapsed in May 2026 — blurred scans, missing pages, mismatched answer sheets — the board faced a crisis that went beyond bad scanning. The most consequential revelation was operational: CBSE's most sensitive examination records, the evaluated answer books of nearly 17 lakh students, were sitting on servers owned and controlled by a private vendor.

Reclaiming that data was not a technical click-of-a-button. It required a coordinated sprint involving cybersecurity professionals from two IITs, five rounds of security testing, and more than ten days of intensive work before the board could relaunch even the re-evaluation portal.

What "Data Migration" Actually Involved

CBSE had engaged Hyderabad-based Coempt Eduteck to build and operate its OSM platform. The vendor hosted the platform on its own infrastructure, which meant answer-book images, evaluator marks, and the underlying OSM software were all resident on Coempt's systems.

After the crisis deepened in late May — including a distributed denial-of-service attack on the re-evaluation portal and the public disclosure of critical vulnerabilities by ethical hacker Nisarga Adhikary — CBSE moved to shift all answer-book records and OSM system data to CBSE-controlled servers.

This involved:

Transferring all digitised answer-book images to CBSE-owned infrastructure

Moving OSM application data, evaluator logs, and mark records

Reviewing and understanding large portions of vendor-written code, which required Coempt to remain involved in the transition

Implementing access controls under CBSE's own IT team

Coempt was retained — but only for scanning. The company continues to handle the physical logistics of digitising answer sheets for the ongoing re-evaluation exercise. Everything else now runs on government-controlled servers.

The IIT Security Sprint: Red Team, Blue Team, Five Rounds

Before CBSE relaunched the re-evaluation portal on 2 June 2026, it brought in cybersecurity teams from two institutions:

IIT Kanpur served as the red team, conducting offensive penetration testing to find exploitable vulnerabilities. The team worked for more than ten days on both the CBSE registration portal and the OSM portal.

IIT Madras operated as the blue team, focused on hardening the code and closing gaps the red team identified.

Five distinct rounds of security assessment were completed before the system was cleared for relaunch. The methodology mirrors what large financial institutions use to audit payment systems: structured adversarial testing followed by hardening cycles, with no deployment until multiple clean rounds are completed.

The review found no breaches in the newly migrated systems. The DoS attack that struck the initial re-evaluation window was also successfully contained after the hardened version went live.

What the Scanning Numbers Reveal

A data point that has received less attention: Coempt's scanning operation processed approximately 40 crore (400 million) pages during the main evaluation cycle. Of those, roughly 30,000 pages were classified as problematic — a ratio of approximately 1 in 13,000.

At that scale, one in 13,000 is a small percentage. But when those 30,000 pages are distributed unevenly — with some students receiving blurred, illegible scans while others received clearly digitised sheets — the experience is not statistical. It is a failing mark that cannot be explained, a revaluation fee that should not have been necessary, and an admission application held in limbo for six weeks.

By late May 2026, CBSE had rescanned 68,018 answer books and sent 13,583 for manual re-evaluation. Over 1.6 lakh students applied for answer-sheet verification or re-evaluation, covering 3.8 lakh answer books. Applications for scanned copies crossed 11.31 lakh. These numbers — unprecedented in the board's history — reflect the scale of perceived and actual discrepancies that the scanning quality gap created.

The Vendor Custody Problem

The CBSE-Coempt situation is not unique. Across Indian universities and state boards, institutions that have adopted digital evaluation have typically done so by outsourcing the entire technology stack — including data hosting — to private vendors.

This creates a structural vulnerability that has nothing to do with the vendor's competence. If a relationship ends, if a vendor faces financial or legal trouble, or if a security incident requires forensic access, an institution that does not host its own data is dependent on the vendor's cooperation to access its own records.

For CBSE, this dependency was visible during the crisis: Coempt had to assist in explaining parts of the codebase and facilitate data transfer. An institution with less institutional leverage than CBSE might find that process slower, more contested, or complicated by commercial disputes.

The ethical hacker Nisarga Adhikary had earlier reported that answer sheets and question papers stored on an Amazon Web Services server were publicly accessible due to improper configuration. That misconfiguration occurred on vendor-managed infrastructure — a configuration decision CBSE could not have audited without the vendor's cooperation.

Four Clauses Every OSM Contract Must Include

The CBSE experience has effectively written a minimum standard for vendor data arrangements in digital evaluation contracts. Any institution procuring or renewing an OSM platform should verify the presence of four provisions:

Data residency clause: All examination data — answer-book images, evaluation records, evaluator logs — must reside on servers owned or leased directly by the institution, or on NIC/MeitY-certified cloud infrastructure. Vendor-operated servers may be used for processing only, not for primary data custody.

Source code escrow: The vendor must deposit current source code with a neutral escrow agent. The institution gains access upon contract termination, vendor insolvency, or a declared security incident. This prevents the situation CBSE faced, where understanding the codebase required vendor participation.

Mandatory independent security audit: An annual penetration test by a CERT-In empanelled auditor or a named academic institution's cybersecurity team, with a full report delivered to the institution's IT head and examination controller. Vendor self-certification does not qualify.

Termination and data export SLA: Upon contract end, all examination data must be returned in a documented, portable format within 30 days. The vendor is prohibited from retaining copies. A contractual penalty applies for every day of delay beyond the SLA.

None of these clauses are exotic. They are standard in enterprise software procurement in banking and healthcare. They have simply not been applied consistently to examination technology.

The Broader Lesson

The IIT Kanpur red team found and fixed exploitable vulnerabilities in code that had already been deployed at national scale. That finding matters less as a criticism of one vendor than as evidence that examination platforms require the same security diligence that critical financial infrastructure receives.

India evaluates approximately 6 crore answer books annually through board and university examinations. The data generated — student identities, answer content, evaluator decisions, awarded marks — is among the most consequential data any institution handles. Treating that data's custody as a procurement afterthought is no longer defensible.

CBSE's recovery sprint demonstrated that the technical work of securing an examination platform is tractable. What remains is the institutional work: building vendor contracts that treat data sovereignty as a first-order requirement, not a condition to be negotiated away for a lower price.