New Delhi, June 11 -- Job applications typically comprise a covering e-mail and a resume; in the case of Nisarga Adhikary, 19, it was a blog post detailing vulnerabilities in the Central Board of Secondary Education's on-screen portal. This week, Adhikary was appointed Open-Source Intelligence (OSINT) and threat intelligence engineer at IIT Kanpur's technology innovation hub C3iHub. IIT Kanpur director Manindra Agrawal said he reached out to Adhikary after reading that post, published on May 22. "Nisarga Adhikary has been appointed as an engineer in our cybersecurity team. A few years ago, we had similarly recruited a couple of young engineers for the same team. I am not sure whether he is the youngest recruit at IIT Kanpur, but he is certainly among the youngest engineers to have been hired by the institute," Agrawal added. The vulnerabilities highlighted by Adhikary are just one thread in a controversy that has erupted over the adoption of on screen marking. HT's reporting has discovered that the process was rushed through. Worse, with no bids for the first tender and no successful ones for the second, the technical criteria was lowered for the third, which was eventually won by Coempt Edu Teck. HT's reporting has also discovered that the cybersecurity certificates submitted by Coempt covered a different client's deployment of the same software but on a pre-production staged environment, and that another certificate was almost two years old. At IIT Kanpur, Adhikary, who cleared his Class 12 exams this year, will analyse actionable information from publicly available sources and identify vulnerabilities in websites and applications, helping organisations address and patch potential security flaws, officials said on Tuesday. He has been appointed on a contractual basis as an engineer under the institute's cybersecurity team. "I am excited about this opportunity because it is the first time I will be working in a security-focused role. In my earlier jobs, I primarily worked as a software engineer, while cybersecurity was more of a hobby," Adhikary said. No one in his family works in cybersecurity and both his parents are working in the finance sector. "I started coding when I was six or seven years old, but I became seriously involved in cybersecurity and began participating in Capture the Flag (CTF) and other cybersecurity competitions when I was in Class 6," he said. CTF (Capture the Flag) refers to gamified hacking competitions or puzzles where participants test and develop their ethical hacking skills by legally discovering "flags" (hidden strings of text) concealed within purposefully vulnerable programs, websites, or networks. Both Adhikary and IIT Kanpur officials declined to disclose his remuneration, although Adhikary indicated that it was lower than he had expected. "The salary is decent, but I was expecting a bit more. I'm used to working on projects and with companies based in the US, and I do miss the financial advantage that comes with earning in dollars because of the USD-INR conversion," he said. Adhikary is not planning on enrolling in a college at the moment. "I want to work on building on startups and products which people use. I am not much interested in academia," he said. Following directions from Union education minister Dharmendra Pradhan on May 24, IIT Madras and IIT Kanpur deputed a four-member team of computer systems, process and cybersecurity experts to help CBSE address glitches in its post-result services portal. Agrawal, who was stationed at CBSE headquarters in Delhi as part of the exercise, met Adhikary in the capital about two weeks ago. "Adhikari is undoubtedly very talented, but he still has a great deal to learn and further develop his capabilities. IIT Kanpur offers him that opportunity. I believe he will do very well if he continues to work hard," Agrawal said. In his blog, Adhikary said he reported the vulnerabilities to India's cybersecurity watchdog CERT-In on February 25. As reported by HT on June 6, he identified five critical flaws in the OSM portal, including the storage of a master password in plain text that allowed users to bypass two-factor authentication entirely. He said he alerted CERT-In to the issues, but only one vulnerability was patched while the remaining flaws persisted until the portal was eventually taken down. Adhikary told HT that this will be his first job at an educational institute, although he has previously worked professionally with several start-ups....