When most people stumble upon a security gap, they look the other way or take advantage of it. An 18-year-old from Lucknow did neither. He stayed up through the night to make sure millions of students were protected.
The discovery that changed his night
Late at night, while reviewing the official UP Board result portals ahead of the 2026 board exam results, Adarsh Verma noticed something that immediately raised an alarm.
The Intermediate (12th) portal at upresults12.upmsp.edu.in and the High School (10th) portal at upresults10.upmsp.edu.in both appeared to be storing authentication hashes and cached data as plaintext inside publicly reachable resources. In the wrong hands, this flaw could allow anyone to pull the complete result records of every registered student, with no credentials required.
With the UP Board serving more than 50 lakh students each year, and both portals sharing the same vulnerability, the exposure risk was enormous. Student names, roll numbers, marks, school information, and results could all potentially be accessed and harvested by anyone who knew where to look.
Choosing integrity over recognition
He did not take advantage of what he found. He did not share screenshots online for attention. He did not post a single word on social media. Instead, Adarsh drafted two detailed responsible disclosure emails, one per portal, addressed directly to the Director and CISO of Madhyamik Shiksha Parishad, UP, with CERT-In, India’s national cybersecurity body, copied on both.
By 2:32 AM, both emails were on their way. Each one outlined the exact nature of the flaw, the scale of potential impact, the actions he had deliberately chosen not to take, and a clear set of fixes including an urgent audit of the server-side caching setup, enforcement of proper access controls, and a thorough security review before the results went live.
He put his real name on both. He included his phone number. No hiding behind aliases, no theatrics.
“I have built companies around cybersecurity. If I see a vulnerability and walk away, everything I preach means nothing. Integrity is not a brand strategy, it is a choice you make at 2 AM when nobody is watching.”
Adarsh Verma, Founder, HackSnip
A rare act in India’s cybersecurity landscape
Responsible disclosure has long been standard practice among security researchers globally, but in India, especially when government systems are involved, it remains uncommon. Many researchers go quiet, wary of potential legal consequences under the broadly written IT Act. Others rush to publish their findings publicly, chasing credit before a fix is even in place.
Adarsh took neither shortcut. He documented the issue thoroughly, reported it through the right channels, put the safety of students ahead of everything else, and walked away expecting nothing.
The entrepreneur behind the disclosure
Adarsh is not a full-time security researcher by trade. He is an 18-year-old BTech Computer Science student and entrepreneur based in Lucknow. When he was just 16, he started We Anonymous as a cybersecurity-focused Instagram page, built it into a proper venture with courses, tools, and workshops, took it to a Rs.10 million valuation, and wrapped up with a Rs.279 million acquisition, all within two months.
Since then, he has built Social Sense, a growth and automation agency; Sendmate, an AI-driven cold email platform; and Charmly AI, a tool for investment guidance. His current focus is HackSnip, a cybersecurity venture centred on real-time defence tools and high-level ethical hacking education. Through his holding company SK Group, he serves 478+ active clients and has grown a combined organic following of over 745,000 across platforms.
What he did with the UPMSP vulnerability is consistent with everything he has built: someone with a deep enough grasp of security to spot a serious flaw, and a strong enough sense of responsibility to act on it the right way.
What comes next for lakhs of students
The disclosures are now in the hands of UPMSP and CERT-In. Adarsh is not holding his breath for a reward. Indian government institutions seldom run formal bug bounty programmes. He is not waiting for a public acknowledgement either. His one expectation is straightforward: that the vulnerabilities are patched before results are announced, so that crores of students can check their scores without their personal information sitting unprotected on a compromised server.
For him, that outcome is more than enough.
About the author
Adarsh Verma is the Founder of HackSnip and SK Group, and former CEO of We Anonymous. He builds cybersecurity tools, education platforms, and automation systems from Lucknow, India.
