Post cover image

June 13, 2026

I Found a Vulnerability on a Government Web Portal. Here’s What Happened Next…

How an exposed .git directory on a state portal was identified and swiftly resolved.

Sriman kundu

1 min read

In the modern digital landscape, government portals act as the backbone of citizen services and administrative workflows. Ensuring the security of these portals is paramount, as they often handle sensitive data and critical infrastructure components.

Recently, while conducting independent security research, I stumbled upon a misconfiguration in a portal maintained by the National Informatics Centre (NIC) and the Government of West Bengal. This is a brief write-up of the discovery, the potential impact, and the commendable, swift response from the government's technical team.

The Discovery: Exposed .git Directory and Admin Resources

During routine reconnaissance, I identified a .gov.in portal that was unintentionally exposing sensitive development and repository files to the public internet—specifically, a .git directory and associated administrative components.

In modern web development, Git is an essential version control system. However, if the .git folder is left accessible in the web root of a production server, it becomes a goldmine for malicious actors.

Why is an exposed .git directory dangerous?

  • Source Code Leakage: Anyone can download the entire repository, allowing them to reverse-engineer the application.
  • Hardcoded Secrets: Developers sometimes accidentally leave API keys, database credentials, or encryption tokens in the code. An exposed .git folder hands these keys directly to attackers.
  • Infrastructure Mapping: Viewing the commit history can reveal internal network structures, developer notes, and hidden administrative endpoints.

Note: In adherence to ethical hacking principles, I did not attempt any unauthorized access, data extraction, or exploitation. The vulnerability was verified purely observationally.

The Disclosure Process

Time is of the essence when a vulnerability of this nature is discovered. On May 28, 2026, I drafted a responsible disclosure report and sent it directly to the relevant administrators and the NIC helpdesk.

In my report, I highlighted the exact nature of the exposure and provided actionable remediation steps to secure the portal.

My Recommendations Included:

  1. Blocking Public Access: Immediately restricting external access to the office admin page.
  2. Removing Repository Metadata: Deleting or hiding the .git folder from the public web root.
  3. Restricting Internal Resources: Ensuring that unnecessary administrative or internal endpoints are not visible to unauthenticated users.
  4. Reviewing and Rotating Secrets: Conducting a thorough audit of the exposed files to identify and rotate any compromised credentials or API keys.

Swift Remediation

When reporting vulnerabilities to large bureaucratic organizations, researchers often brace for long wait times or communication silos. However, the response from the NIC and the Government of West Bengal team was exemplary.

Exactly one week later, on June 4, 2026, I received a response from the technical team confirming that all suggested security concerns had been successfully resolved.