Adarsh Verma · April 24, 2026 · 4 min read
Most people find a vulnerability and either ignore it or exploit it. An 18-year-old founder from Lucknow found one that could expose millions of student records and spent the middle of the night doing the right thing instead.
How it started
It was past midnight when Adarsh Verma, founder of HackSnip and former CEO of the cybersecurity venture We Anonymous, was browsing the official UP Board result portals ahead of the 2026 board examination results. What he noticed stopped him cold.
Both the Intermediate (12th) and High School (10th) result portals, hosted at upresults12.upmsp.edu.in and upresults10.upmsp.edu.in respectively, appeared to store authentication hashes and cache data in plaintext within publicly accessible resources. The implication was serious: a malicious actor could potentially enumerate and download the result records of every student in the database without any authorization whatsoever.
The UP Board conducts examinations for over 50 lakh students annually. Both portals were affected by the same underlying flaw, meaning personal data including names, roll numbers, marks, school details, and pass/fail status could all be at risk.
What he did next
Adarsh did not exploit it. He did not screenshot it for clout. He did not post about it on social media. Instead, he sat down and wrote two formal responsible disclosure emails, one for each portal, addressed to the Director and CISO of Madhyamik Shiksha Parishad, UP, and copied CERT-In, India’s national cybersecurity agency, on both.
Both emails were sent by 2:32 AM. They clearly stated the nature of the vulnerability, the potential impact, the steps he had not taken, and a set of concrete remediation recommendations including an immediate audit of the server-side caching mechanism, implementation of proper access controls, and a full security audit before result declaration.
He signed his real name and left his phone number. No anonymity. No games.
“I have built companies around cybersecurity. If I see a vulnerability and walk away, everything I preach means nothing. Integrity is not a brand strategy, it is a choice you make at 2 AM when nobody is watching.”
— Adarsh Verma, Founder, HackSnip
Why this matters
Responsible disclosure is a well-established practice in the global cybersecurity community but it is still rare in India, particularly when the target is a government institution. Most researchers either stay silent out of fear of legal action under the broadly worded IT Act, or go public immediately for recognition.
Adarsh chose the harder path: document it carefully, report it to the right people, protect the students first, and ask for nothing in return.
Who is Adarsh Verma
Adarsh is not a professional security researcher. He is an 18-year-old entrepreneur from Lucknow currently pursuing BTech in Computer Science. At 16, he launched We Anonymous as a small Instagram cybersecurity page, grew it into a full venture offering courses, tools, and workshops, scaled it to a Rs.10 million valuation, and exited in a 279 million acquisition deal in just under two months.
He has since founded Social Sense, a growth and automation agency, built Sendmate, an AI-powered cold email tool, launched Charmly AI, an investment guidance platform, and is now building HackSnip, his next cybersecurity venture focused on real-time defense tools and advanced ethical hacking education. Under his holding company SK Group, he works with 478+ active clients and manages a combined audience of 745K+ followers built entirely through organic content.
The UPMSP disclosure fits exactly who he is: someone who understands cybersecurity deeply enough to recognize a serious flaw, and who has built enough integrity into his character to do something responsible about it.
What happens now
Both emails have been submitted to UPMSP and CERT-In. Adarsh is not expecting a bounty. Government bodies in India rarely have formal bug bounty programs. He is not expecting a public thank you either. What he is expecting is that the portals get fixed before results are declared and that lakhs of students can check their marks without their personal data sitting exposed on a vulnerable server.
That, he says, is enough.
About the author
Adarsh Verma is the Founder of HackSnip and SK Group, and former CEO of We Anonymous. He builds cybersecurity tools, education platforms, and automation systems from Lucknow, India.