Catergory

CERT-In

vulnerability

IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.
06 April, 2024
5 min read
Tejasi PanjiarTejasi Panjiar
CERT-In

Statement: Exemption of CERT-In from the RTI Act dilutes institutional transparency and weakens individual privacy

An amendment to the Second Schedule to the RTI Act, 2005 was notified on November 24, 2023, exempting CERT-In from providing information under the Act. This move is certainly not in the public interest as it weakens the rights of the people by diluting an Act meant to empower them.
25 November, 2023
3 min read
Tejasi PanjiarTejasi Panjiar & Prateek WaghrePrateek Waghre
CERT-In

Top Secret: One year on, CERT-In refuses to reveal information about compliance notices issued under its 2022 Directions on cybersecurity

To mark the first anniversary of the notification of the 2022 CERT-In Directions, we filed two Right to Information (“RTI”) applications with the Department of Electronics and Information Technology, seeking details on the issuance of compliance notices under this new regulatory mandate.
28 April, 2023
4 min read
Gayatri MalhotraGayatri Malhotra
2022

Delhi HC permits SnTHostings to respond to the CERT-In’s defence of the 2022 Directions

CERT-In has replied to SnTHostings' petition challenging the 2022 Directions, which require service providers to monitor the activities of their customers. Delhi HC has permitted SnTHostings to respond to the reply.
10 December, 2022
3 min read
Krishnesh BapatKrishnesh Bapat
vpn

Delhi HC issues notice in SnTHosting’s challenge to legality of CERT-In’s Directions

Tl;dr The Delhi HC has issued notice in a petition filed by SnTHostings challenging the legality of Direction No. 20(3)/2022-CERT-In dated April 28, 2022 (‘2022 Directions’) by the The Indian Computer Emergency Response Team (‘CERT-In’). SnTHostings provides hosting, Virtual Private Network (‘VPN’) and Virtual Private Server (‘VPS’) services. The 2022 Directions presented an existential crisis to SnTHostings as they mandated it to collect a range of personal data and share it with CERT-In on de
28 September, 2022
4 min read
Krishnesh BapatKrishnesh Bapat, Anandita MishraAnandita Mishra & Tanmay SinghTanmay Singh
CERT-In

Delaying the inevitable: Implementation of CERT-In’s Cybersecurity Directions gets a piecemeal extension

CERT-In has extended the timeline for partial enforcement of Cyber Security Directions dated April 28, 2022. The timeline for enforcement of the directions by MSMEs and enforcement of Direction 5 (a) and (f) by entities mentioned in Direction 5 is September 25, 2022.
28 June, 2022
4 min read
Tejasi PanjiarTejasi Panjiar & Prateek WaghrePrateek Waghre
CERT-In
Featured

SnTHostings - a VPN, Seedbox and Root Server provider - urges MeitY to withdraw the unlawful CERT-In direction which will be effective from June 27, 2022

SnTHosting has addressed legal representation to MeitY seeking recall of the CERT-In Directions which mandate them to surveil their users and collect their personal data and make such data available to CERT-In on demand.
25 June, 2022
4 min read
Krishnesh BapatKrishnesh Bapat
cybersecurity

CERT-In Directions on Cybersecurity: An Explainer

On April 28, 2022, CERT-In issued directions aimed at strengthening India's cybersecurity. Issued without public consultations, these directions raise concerns related to state sponsored surveillance and data retention beyond need or purpose. We thus call on CERT-In to recall these directions.
05 May, 2022
8 min read
Tejasi PanjiarTejasi Panjiar, Anushka JainAnushka Jain & Prateek WaghrePrateek Waghre
Data Breach

Student data exposed on Andhra Pradesh Government Examination website!

> > > > tl;dr Sai Sravan Prabhala, a cyber-security researcher, informed us of a critical vulnerability exposing the sensitive personal information of minors. This existed on the website of the Directorate of Government Examinations, Government of Andhra Pradesh’s for the 2021 examinations. While this functionality itself has been removed, to prevent it from occurring again assisted by Sai, we have written to them and CERT-In. Background On 22nd December 2021, cyber-security researche
04 February, 2022
5 min read
Tejasi PanjiarTejasi Panjiar
CERT-In

Over to you MeitY: IFF's representation on CERT-In's Responsible Vulnerability Disclosure and Coordination Policy

CERT-In responded to our representation on the Responsible Vulnerability Disclosure and Coordination Policy and clarified that the Policy is following the existing provisions of the law. Therefore, now we ask MeitY to amend the law to provide a safe harbour for security researchers.
10 December, 2021
4 min read
Gyan TripathiGyan Tripathi & Rohin GargRohin Garg

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!