feat: add issue templates, security policy, and update contributing guide

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,37 @@
+---
+name: Bug Report
+about: Report a bug or unexpected behavior
+title: "fix: "
+labels: "bug"
+assignees: ""
+---
+
+## Summary
+<!-- Brief description of the bug -->
+
+## Reproduction
+<!-- Steps to reproduce the behavior -->
+1. 
+2. 
+3. 
+
+## Expected Behavior
+<!-- What you expected to happen -->
+
+## Actual Behavior
+<!-- What actually happened -->
+
+## Environment
+- **Node.js version**: 
+- **OS**: 
+- **filesize.js version**: 
+
+## Code Sample
+<!-- Minimal code snippet that reproduces the issue -->
+
+```javascript
+// Your code here
+```
+
+## Additional Context
+<!-- Any other context, screenshots, or logs -->

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,29 @@
+---
+name: Feature Request
+about: Suggest a new feature or enhancement
+title: "feat: "
+labels: "enhancement"
+assignees: ""
+---
+
+## Summary
+<!-- Brief description of the proposed feature -->
+
+## Motivation
+<!-- Why is this feature needed? What problem does it solve? -->
+
+## Proposed Solution
+<!-- How would you implement this? What would the API look like? -->
+
+## Example Usage
+<!-- Code example showing how this feature would be used -->
+
+```javascript
+// Your code here
+```
+
+## Alternatives Considered
+<!-- Any alternative approaches you've considered -->
+
+## Additional Context
+<!-- Any other context, screenshots, or references -->

.github/PULL_REQUEST_TEMPLATE.md

@@ -25,3 +25,8 @@
 - [ ] No hardcoded secrets or credentials introduced
 - [ ] Zero external dependencies added
 - [ ] ES Modules only (no CommonJS in src/)
+- [ ] JSDoc comments added/updated
+- [ ] CHANGELOG.md updated (if applicable)
+
+## Screenshots (if applicable)
+<!-- Add screenshots or GIFs for UI changes -->

.github/SECURITY.md

@@ -0,0 +1,61 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest major version receives security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 6.x     | :white_check_mark: |
+| < 6.0   | :x:                |
+
+## Reporting a Vulnerability
+
+We take security seriously. If you discover a security vulnerability, please report it responsibly.
+
+### How to Report
+
+1. **Do not** open a public issue
+2. Email security findings to the maintainers
+3. Include:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact
+   - Suggested fix (if any)
+
+### What to Expect
+
+- **Acknowledgment**: Within 48 hours
+- **Assessment**: Within 1 week
+- **Fix timeline**: Depends on severity
+  - Critical: Immediate patch
+  - High: Within 30 days
+  - Medium/Low: Next release cycle
+
+### Scope
+
+This policy covers:
+- Code execution vulnerabilities
+- Data corruption or loss
+- Authentication/authorization bypass
+- Prototype pollution
+- Dependency vulnerabilities affecting the core
+
+### Safe Harbors
+
+We will not take legal action against security researchers who:
+- Follow this responsible disclosure process
+- Make reasonable efforts to privacy and data protection
+- Keep vulnerabilities confidential until patched
+
+## Security Best Practices
+
+When using filesize.js:
+- Always validate input data before passing to filesize()
+- Keep dependencies updated
+- Use the latest stable version
+- Review changelog for security-related updates
+
+## Known Issues
+
+No known security issues at this time.

CONTRIBUTING.md

@@ -11,6 +11,7 @@ Thank you for your interest in contributing to filesize.js! This document outlin
 - [Code Style](#code-style)
 - [Commit Messages](#commit-messages)
 - [Pull Request Process](#pull-request-process)
+- [Code Review](#code-review)
 - [License](#license)
 
 ## Getting Started
@@ -41,6 +42,8 @@ When creating a new issue, include:
 - Environment details (Node.js version, OS, browser)
 - Code samples if applicable
 
+**Use the issue templates** provided in `.github/ISSUE_TEMPLATE/` for bug reports and feature requests.
+
 ## Development Workflow
 
 ### Project Structure
@@ -245,6 +248,32 @@ test: add coverage for NaN exponent edge case
 - [ ] Documentation updated (if applicable)
 - [ ] Build successful (`npm run build`)
 
+## Code Review
+
+All pull requests require at least one review before merging.
+
+### Review Process
+
+1. **Automated checks**: CI must pass (tests, lint, build)
+2. **Manual review**: At least one maintainer reviews the changes
+3. **Feedback**: Address any review comments
+4. **Approval**: Once approved, the PR can be merged
+
+### What Reviewers Look For
+
+- **Correctness**: Does the code work as intended?
+- **Coverage**: Are all edge cases tested?
+- **Performance**: Does the change impact performance?
+- **Style**: Does the code follow project conventions?
+- **Documentation**: Is the code documented?
+
+### Review Tips
+
+- Keep PRs small and focused
+- Provide context in the PR description
+- Respond to review comments promptly
+- Be open to feedback and suggestions
+
 ## License
 
 By contributing to filesize.js, you agree that your contributions will be licensed under the BSD-3 license.