This manner of disclosure seems rather callous and reaching out on twitter to communicate a discovered vuln smacks of attention seeking. The Indian Government sites are a very wide mix with some where there is active consideration of such criticalities and a huge number created by the local enterprising chap who is no longer involved. Its hardly a surprise that lots of sites are vulnerable. Without some info on the sites, this is just scare mongering. NPCI is a critical piece of financial infrastructure but this could very well be the front-facing website and nothing to do with the financial services. Looks like an ad, as many others have pointed out.