From 90e92f4f5da59977d3945380d4bd06b31de6fa7d Mon Sep 17 00:00:00 2001
From: mit-d <derekmttn@gmail.com>
Date: Sat, 21 Feb 2026 13:19:09 -0700
Subject: [PATCH] docs: add CONTRIBUTING, SECURITY, and issue templates

---
 .github/ISSUE_TEMPLATE/bug_report.yml      | 35 +++++++++++++++++++++
 .github/ISSUE_TEMPLATE/feature_request.yml | 17 ++++++++++
 CHANGELOG.md                               |  8 +++++
 CONTRIBUTING.md                            | 36 ++++++++++++++++++++++
 SECURITY.md                                | 21 +++++++++++++
 5 files changed, 117 insertions(+)
 create mode 100644 .github/ISSUE_TEMPLATE/bug_report.yml
 create mode 100644 .github/ISSUE_TEMPLATE/feature_request.yml
 create mode 100644 CONTRIBUTING.md
 create mode 100644 SECURITY.md

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
new file mode 100644
index 0000000..5daf14a
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,35 @@
+name: Bug Report
+description: Report a bug or unexpected behavior
+labels: [bug]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: What happened?
+      description:
+        Describe the bug. Include the command you ran and what you expected.
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to reproduce
+      description: Minimal steps or a sample file to reproduce the issue.
+      render: bash
+
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: Output of `check-unicode --version`
+    validations:
+      required: true
+
+  - type: input
+    id: python-version
+    attributes:
+      label: Python version
+      description: Output of `python --version`
+    validations:
+      required: true
diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml
new file mode 100644
index 0000000..33ff4d2
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -0,0 +1,17 @@
+name: Feature Request
+description: Suggest a new feature or improvement
+labels: [enhancement]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: What would you like?
+      description: Describe the feature and the problem it solves.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Any workarounds or alternative approaches you've tried.
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 51b6537..f5c4043 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Changelog
 
+## Unreleased
+
+### Added
+
+- `CONTRIBUTING.md` guide
+- `SECURITY.md` with private vulnerability reporting instructions
+- Issue templates for bug reports and feature requests
+
 ## 0.3.1 - 2026-02-21
 
 ### Added
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..2042b92
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,36 @@
+# Contributing
+
+Thanks for your interest in contributing to `check-unicode`.
+
+## Development setup
+
+```bash
+uv venv && uv pip install -e ".[dev]"
+```
+
+## Before submitting a PR
+
+1. Run the full test/lint suite:
+
+   ```bash
+   pytest --cov=check_unicode
+   ruff check src/ tests/
+   mypy src/
+   ```
+
+2. Add or update tests for any new behavior.
+3. Update `CHANGELOG.md` under `## Unreleased` if the change is user-facing.
+4. Keep commits focused -- one logical change per PR.
+
+## Reporting bugs
+
+Open an issue with:
+
+- The command you ran
+- Expected vs actual output
+- Python version (`python --version`)
+
+## Security issues
+
+If you find a security vulnerability, **do not open a public issue**. See
+[SECURITY.md](SECURITY.md) for responsible disclosure instructions.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..cc8102f
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+If you discover a security vulnerability in `check-unicode`, please report it
+through
+[GitHub's private vulnerability reporting](https://github.com/mit-d/check-unicode/security/advisories/new).
+
+**Do not open a public issue.**
+
+You should expect an initial response within 72 hours. Once confirmed, a fix
+will be prioritized and released as a patch version.
+
+## Scope
+
+This project is a static analysis tool for detecting Unicode-based attacks. The
+following are in scope:
+
+- Bypasses that allow dangerous characters to go undetected
+- False negatives in confusable/homoglyph detection
+- Issues in the fix mode that could corrupt files