Coordinated Disclosure

Advisories

Coordinated vulnerability disclosure advisories authored by ZERO|TOLERANCE Security Research. Each advisory follows our Responsible Discovery and Disclosure Guidelines: a 90-day coordinated window, closed earlier when the vendor lands a fix and extended when good-faith remediation is in progress. Coordination runs through CERT/CC or the relevant national CSIRT where applicable. Canonical artifacts are published as PDFs with detached PGP signatures.

Active Since
May 18, 2026
Coordinator
CERT/CC (US-CERT)
Policy Version
v1.6 (March 24, 2026)
Signing Key
0x7BD71863418DC1BE

One coordinated advisory currently published. Future advisories will be appended to this index.

1
Published
5
CVE Classes
2
Critical
3
High
Published Advisory

Multiple Vulnerabilities in Deloitte AI Assist Ascend Platform

CRITICAL HIGH FINAL CERT/CC Coordinated

VU#487875 · May 18, 2026

Coordinated disclosure of five distinct CVE classes affecting six tenants of the Deloitte AI Assist Ascend platform. Coordinated with CERT/CC under VU#487875; Day 64 disposition checkpoint, published Day 66 checkpoint per coordinator agreement. Read the full advisory → Per-CVE disposition scorecard and 59-item findings annex available in the canonical PDF below.

Author
Karim El Labban (ZERO|TOLERANCE Security Research)
Affected
Deloitte AI Assist - Ascend platform
Tracking
CERT/CC VU#487875
CVE Classes
5 (59 individual items in disposition scorecard)
Severity
CVSS v3.1 7.5-9.1 (2 CRITICAL, 3 HIGH)
Disclosure
Day 64 disposition checkpoint, published Day 66 per CERT/CC coordinated agreement (early coordinated close, ZT Disclosure Policy v1.6 section 4)
Status
Final - coordinated disclosure complete
Canonical Artifact
VU487875-deloitte-ascend-advisory.pdf 217 KB
SHA-256 2bdb7003a4fd24434b6bd380c3f4d96bed0215668087e459e43d448790f8301e
Signature PGP detached signature (.asc)
Signing Key 7171 FB9C 2AEA 69B9 FE4F 053F 7BD7 1863 418D C1BE
Key On keys.openpgp.org / /.well-known/pgp-key.txt
Verify
gpg --verify VU487875-deloitte-ascend-advisory.pdf.asc VU487875-deloitte-ascend-advisory.pdf
About These Advisories

Coordinated Disclosure Process

ZT advisories are released under our Responsible Discovery and Disclosure Guidelines. Vendor security teams or national CSIRTs who would like to coordinate on a finding can reach security@zerotolerance.me. Encrypted communication via PGP/GPG preferred; public key 0x7BD71863418DC1BE is published on keys.openpgp.org and at /.well-known/pgp-key.txt.

All canonical advisory artifacts are PDFs with detached PGP signatures. SHA-256 hashes are cross-published in the coordinator case thread (CERT/CC VINCE or equivalent national CSIRT) so verifiers have an independent trust anchor outside zerotolerance.me TLS.