A 16-year-old student from Dubai has found himself at the centre of a major cybersecurity disclosure after identifying a data exposure issue on the JEE Advanced 2026 results portal, prompting IIT Roorkee to take immediate corrective action and publicly thank him for reporting the vulnerability.
Rylen Anil Perumkannaril, a Class 12 student at JSS Private School, Dubai, said he discovered the issue while actively searching for security flaws as part of his cybersecurity research.
The teenager, who is a member of the cybersecurity Capture The Flag (CTF) team g4mra, currently ranked 68th globally, said his interest in cybersecurity began with a curiosity about how digital systems work.
"I got into cybersecurity through curiosity and a genuine interest in understanding how systems work behind the scenes. I began by exploring Linux, programming and security challenges, which gradually led me into CTFs and responsible vulnerability research," Rylen told The Free Press Journal.
Publicly Accessible Data
According to Rylen, he came across the issue while testing the JEE Advanced results portal and noticed a database that appeared to be publicly accessible without authentication.
"I first came across the vulnerability in the JEE Result portal while pentesting the site. While doing so, I noticed this database showing up, and when I looked into it, I found that it was publicly exposed without authentication," he said.
The vulnerability, he explained, was caused by a cloud storage misconfiguration.
While some technical understanding was required to identify the issue, Rylen said that anyone possessing the correct URL could potentially access the exposed information.
Based on his assessment, nearly 1.79 lakh result records and around 1.87 lakh admit-card PDF files were accessible. He said these figures were not estimates but were derived by counting the objects stored within different folders.
"I could see all the objects in the database and counted all of them. There were different folders for admit cards, student results and other records," he said.
Personal Details Exposed
Rylen claimed that the exposed information included candidates' full names, phone numbers, dates of birth, parents' names and admit-card details.
However, he said he found no evidence suggesting that the data had been misused, downloaded or accessed by unauthorised individuals. He also said he could not determine how long the information had remained exposed.
"I have no evidence indicating whether the data was copied or accessed by anyone else," he said.
IIT Roorkee Acknowledges Report
After identifying the issue, Rylen said he reported it through official channels. He had previously been in touch with the National Testing Agency (NTA) regarding another vulnerability and forwarded the details of the JEE Advanced issue to them, following which the information was passed on to IIT Roorkee.
"I had been contacted by NTA for my earlier vulnerability and had sent them this vulnerability, which was then sent to IIT Roorkee," he said.
According to the student, he also shared technical evidence and supporting information with the relevant authorities.
"I have sent my evidence and technical details to the required authorities, and I must commend them on how swiftly they took care of it," he added.
Responding publicly on X, IIT Roorkee confirmed the issue and thanked the teenager for bringing it to the institute's attention.
"Thank you @DarthKermy72747 for pointing out the configuration issue in the cloud storage device. The same is being plugged on priority. The data stored was read-only and so there was no possibility of any alteration. We applaud your responsible and ethical behaviour," the institute wrote.
Rylen said officials from both NTA and IIT Roorkee personally contacted him after the disclosure.
"NTA and IIT officials have contacted me regarding this and have thanked me for bringing it to their attention, and they promptly fixed the issue," he said.
A Call for Stronger Cybersecurity
The incident comes at a time when digital examination systems and government portals are facing increased scrutiny over cybersecurity preparedness.
Asked whether the case reflects broader weaknesses across India's examination ecosystem, Rylen said vulnerabilities do exist but believes such incidents can encourage greater participation in responsible security research.
"I do believe our government portals have vulnerabilities, but I also feel that this is a pivotal moment that will inspire more people to help secure our nation," he said.
The student confirmed that the vulnerability has now been fixed and described the response from authorities as swift and cooperative.
