docs: add CONTRIBUTING, SECURITY, and issue templates

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,35 @@
+name: Bug Report
+description: Report a bug or unexpected behavior
+labels: [bug]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: What happened?
+      description:
+        Describe the bug. Include the command you ran and what you expected.
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to reproduce
+      description: Minimal steps or a sample file to reproduce the issue.
+      render: bash
+
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: Output of `check-unicode --version`
+    validations:
+      required: true
+
+  - type: input
+    id: python-version
+    attributes:
+      label: Python version
+      description: Output of `python --version`
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,17 @@
+name: Feature Request
+description: Suggest a new feature or improvement
+labels: [enhancement]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: What would you like?
+      description: Describe the feature and the problem it solves.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Any workarounds or alternative approaches you've tried.

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## Unreleased
+
+### Added
+
+- `CONTRIBUTING.md` guide
+- `SECURITY.md` with private vulnerability reporting instructions
+- Issue templates for bug reports and feature requests
+
 ## 0.3.1 - 2026-02-21
 
 ### Added

CONTRIBUTING.md

@@ -0,0 +1,36 @@
+# Contributing
+
+Thanks for your interest in contributing to `check-unicode`.
+
+## Development setup
+
+```bash
+uv venv && uv pip install -e ".[dev]"
+```
+
+## Before submitting a PR
+
+1. Run the full test/lint suite:
+
+   ```bash
+   pytest --cov=check_unicode
+   ruff check src/ tests/
+   mypy src/
+   ```
+
+2. Add or update tests for any new behavior.
+3. Update `CHANGELOG.md` under `## Unreleased` if the change is user-facing.
+4. Keep commits focused -- one logical change per PR.
+
+## Reporting bugs
+
+Open an issue with:
+
+- The command you ran
+- Expected vs actual output
+- Python version (`python --version`)
+
+## Security issues
+
+If you find a security vulnerability, **do not open a public issue**. See
+[SECURITY.md](SECURITY.md) for responsible disclosure instructions.

SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+If you discover a security vulnerability in `check-unicode`, please report it
+through
+[GitHub's private vulnerability reporting](https://github.com/mit-d/check-unicode/security/advisories/new).
+
+**Do not open a public issue.**
+
+You should expect an initial response within 72 hours. Once confirmed, a fix
+will be prioritized and released as a patch version.
+
+## Scope
+
+This project is a static analysis tool for detecting Unicode-based attacks. The
+following are in scope:
+
+- Bypasses that allow dangerous characters to go undetected
+- False negatives in confusable/homoglyph detection
+- Issues in the fix mode that could corrupt files