The latest main branch and the latest published release are actively supported with security fixes.

If you discover a security issue, please report it privately:

• Open a private security advisory on GitHub for this repository, or
• Email the maintainer listed in the project profile.

Please include:

• A clear description of the issue
• Steps to reproduce
• Potential impact
• Suggested remediation (if available)

1. We acknowledge reports within 72 hours.
2. We validate and triage severity.
3. We prepare and test a fix.
4. We publish a patched release and disclose details responsibly.

This policy applies to:

• The forecost Python package
• CLI entrypoints and local database interactions
• Bundled GitHub Actions workflows