Security fixes are currently provided for the latest minor release only.

Please do not open a public issue for security vulnerabilities.

Report privately via:

• GitHub Security Advisories (preferred): https://github.com/peter941221/CICost/security/advisories/new
• Fallback contact: open an issue titled SECURITY: private report requested without sensitive details.

When reporting, include:

1. Affected command/module and version.
2. Reproduction steps or proof of concept.
3. Impact assessment and suggested remediation if known.

• Initial triage response: within 72 hours.
• Confirmed vulnerability status update: within 7 days.
• Fix release target: as soon as practical based on severity.