The Central Board of Secondary Education (CBSE) accepted cybersecurity certificates from Coempt Edu Teck that were nearly two years old and tied to a different client's deployment of the same software.
The certificates, issued by CERT-In empanelled firms, were submitted as proof that the OSM platform was safe to process close to 10 million student answer scripts.
However, the platform was later found to contain a series of critical security flaws, including a master password in plain text that bypassed two-factor authentication entirely.
Researchers reported the vulnerabilities to CERT-In, but only one was patched before the portal was taken down.
The controversy has led to the government shunting out top CBSE officials and appointing a one-member government committee to examine the procurement.
