Cheeseball

So how can we fix this? It is actually pretty straightforward. Create a statutory Safe Harbour for good-faith security researchers. Carve out Section 66 of the IT Act so researchers who follow responsible disclosure are protected from prosecution. National Bug Bounty Programme. Pay Rs 5-50 lakh per critical vulnerability across all government systems. Make it public. Make it competitive. The Israeli, US, and Singaporean models have proven this generates 100x return on investment compared to internal audits. Mandatory annual third-party security audits for all government tech systems handling more than 1 lakh users’ data. Publish executive summaries. Force accountability. Empower CERT-In with statutory authority to force patch deployment within defined SLAs. Right now they can advise. They cannot enforce. This needs amendment. A National Cybersecurity Coordinator position with cabinet rank, similar to the US National Cyber Director. Currently cyber policy is scattered across MeitY, NCSC, NTRO, DSCI, CERT-In, MHA. No single accountable owner. While simple, each one of these reforms requires admitting that current systems are broken. > Government departments resist this because it makes them look bad. > Politicians resist because nobody loses elections over cybersecurity but everyone loses face if a breach happens on their watch. > Procurement vendors resist because their margins depend on shipping cheap systems quickly. > Bureaucracies resist because security accountability adds friction. The only path forward is sustained public attention on cases like this. The reason the US, UK, EU, and Singapore have better security frameworks is because their voters, media, and tech communities sustained pressure for two decades. Cases like Nisarga’s are the early inflection points in this journey. How we treat him, how we treat the framework, how we treat the next 50 such researchers will determine whether we end up with Singapore’s security maturity by 2040 or remain perpetually surprised by breaches that should have been preventable.

This is a case study in how India’s entire vulnerability disclosure framework is structurally broken. Let me explain; The first broken piece is the legal trap. When Nisarga “hacked” CBSE, he technically violated Section 66 of the IT Act, which criminalises unauthorised access to a computer system. There is no carve-out for security research in Indian law. None. The fact that he reported responsibly to CERT-In gives him zero legal protection on paper. The only thing standing between him and prosecution right now is CBSE choosing not to file a complaint. Compare with the US. The DOJ formally announced in 2022 that “good faith security research” will not be prosecuted under the CFAA. The UK has similar protections. The Netherlands codifies it. Singapore has formal coordinated vulnerability disclosure policies. India has none of this. Every researcher who reports a flaw is literally betting that the affected department is nice enough not to retaliate. Because of this, the best Indian security researchers work for foreign bug bounty programs like HackerOne and Bugcrowd because the legal risk of reporting to Indian government systems is too high. They find Indian vulnerabilities and stay quiet. We have no idea how many critical flaws exist in our digital infrastructure right now that researchers have spotted but won’t report. The second broken piece is CERT-In itself. CERT-In is mandated as India’s nodal cybersecurity body but operates with three structural disadvantages most people don’t know about. It has no enforcement authority. It can issue advisories. It can recommend patches. It cannot force a government department to fix anything. CBSE could ignore CERT-In for the next 5 years and there’s no mechanism to compel action. Its budget is roughly Rs 700 crore annually. For comparison, the UK’s NCSC operates with Rs 5,800 crore. The US CISA operates with Rs 25,000+ crore. India’s cyber defence per citizen spend is one of the lowest among G20 countries. The 2022 CERT-In directive that required companies to report incidents within 6 hours and store logs for 180 days generated huge industry pushback because the timeline was unrealistic. The directive remains active but enforcement has been patchy. It’s the opposite problem from CBSE. Over-regulation of the private sector, under-regulation of the public sector. The third broken piece is the architectural mistake repeated across every system. CBSE OSM had a 17-year-old find authentication bypass. Aadhaar had multiple leaks in 2018, 2019, 2023. CoWIN had a Telegram bot in 2023 pulling personal data using phone numbers. The Income Tax e-filing portal had multiple authentication issues during its 2021 relaunch. The common thread is the same architectural mistake. Government tech is built via tender. Lowest bidder wins. Security is treated as a nice-to-have. Systems go live with 6-month delivery deadlines and 1-month security audits. Patches happen reactively. We are investing heavily in our digital infrastructure. DIGIPIN is rolling out across India. Account Aggregator framework is integrating banking, insurance, mutual funds, and credit data into a single financial data exchange layer. ONDC is integrating thousands of small businesses and consumers. Each of these systems is bigger than CBSE OSM, but our approach to this is tepid. Israel pays its top security researchers Rs 1-3 crore packages through Unit 8200 and post-military startups. The talent stays in country and builds Check Point, Cyberark, Wiz, Palo Alto Networks. India trains 1.5 lakh cybersecurity engineers annually and exports most of them. The US runs Hack the Pentagon and Hack the Army, where they invite ethical hackers to legally test the most sensitive systems and pay $5,000-$50,000 bounties India’s version is closed-loop and opaque. We have no equivalent for Defence, Income Tax, or any major department. 1/2