chore: security issue reporting and other templates

Add instructions for how security vulnerabilities may be reported. Also add other
issue templates so reports can be more organized and reporters know what information
is needed in a report.

Author: kruton

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -0,0 +1,64 @@
+name: Bug report
+description: Report a reproducible problem with the SSH library.
+title: "Bug: "
+labels: [bug]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting a problem. Please include enough detail for maintainers to reproduce or reason about the issue.
+  - type: textarea
+    id: summary
+    attributes:
+      label: Summary
+      description: What went wrong?
+    validations:
+      required: true
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to reproduce
+      description: Include a minimal code sample or command sequence when possible.
+      placeholder: |
+        1. Configure client with ...
+        2. Connect to ...
+        3. Observe ...
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What did you expect to happen?
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual behavior
+      description: What happened instead? Include stack traces or logs if available.
+      render: text
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Library version
+      placeholder: "0.2.2-SNAPSHOT"
+    validations:
+      required: true
+  - type: input
+    id: runtime
+    attributes:
+      label: Runtime
+      description: Kotlin/JDK/Android version, if relevant.
+      placeholder: "Kotlin 2.3.21, JDK 21"
+    validations:
+      required: false
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: Server implementation, algorithms, platform, or anything else useful.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/compatibility-report.yml

@@ -0,0 +1,59 @@
+name: Compatibility report
+description: Report interoperability with a specific SSH server, algorithm, or client workflow.
+title: "Compatibility: "
+labels: [compatibility]
+body:
+  - type: input
+    id: server
+    attributes:
+      label: SSH server
+      description: Server implementation and version.
+      placeholder: "OpenSSH_9.9p2"
+    validations:
+      required: true
+  - type: input
+    id: library-version
+    attributes:
+      label: Library version
+      placeholder: "0.2.2-SNAPSHOT"
+    validations:
+      required: true
+  - type: dropdown
+    id: area
+    attributes:
+      label: Area
+      options:
+        - Connection setup
+        - Key exchange
+        - Host key verification
+        - Authentication
+        - Shell/session channel
+        - SFTP
+        - Port forwarding
+        - Agent forwarding
+        - Other
+    validations:
+      required: true
+  - type: textarea
+    id: algorithms
+    attributes:
+      label: Algorithms and configuration
+      description: Include negotiated algorithms, client config, auth methods, or server config if known.
+      render: text
+    validations:
+      required: false
+  - type: textarea
+    id: behavior
+    attributes:
+      label: Observed behavior
+      description: What works or fails? Include logs or packet-level details if available.
+      render: text
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What did you expect based on other clients, server docs, or protocol references?
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/connectbot/cbssh/security/advisories/new
+    about: Please report vulnerabilities privately.

.github/ISSUE_TEMPLATE/feature-request.yml

@@ -0,0 +1,33 @@
+name: Feature request
+description: Suggest a new capability or API improvement.
+title: "Feature: "
+labels: [enhancement]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What are you trying to do, and what is missing today?
+    validations:
+      required: true
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: Describe the API, behavior, algorithm, or workflow you would like.
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Workarounds, other libraries, or different designs you considered.
+    validations:
+      required: false
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: Relevant RFCs, OpenSSH behavior, server compatibility, or examples.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/security.md

@@ -0,0 +1,14 @@
+---
+name: Security report
+about: Report a vulnerability or sensitive security issue.
+title: "Security: "
+labels: security
+---
+
+Please do not open a public issue for vulnerabilities or sensitive security reports.
+
+Use GitHub's private vulnerability reporting for this repository:
+
+https://github.com/connectbot/cbssh/security/advisories/new
+
+Contact the maintainers privately if private reporting is unavailable.

SECURITY.md

@@ -0,0 +1,38 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please do not report security vulnerabilities in public GitHub issues.
+
+Use GitHub's private vulnerability reporting for this repository:
+
+https://github.com/connectbot/cbssh/security/advisories/new
+
+If private vulnerability reporting is unavailable, contact the maintainers privately before publishing details.
+
+## What to Include
+
+When possible, include:
+
+- The affected library version or commit.
+- A clear description of the vulnerability and impact.
+- Steps to reproduce, proof-of-concept code, or relevant logs.
+- Any known affected SSH servers, algorithms, authentication methods, or protocol messages.
+- Whether the issue is already public or has been reported elsewhere.
+
+Please avoid including secrets, private keys, production credentials, or sensitive host details in reports.
+
+## Supported Versions
+
+Security fixes are generally provided for:
+
+- The current development line on `main`.
+- Active maintenance branches named `release/<major.minor>`.
+
+Older versions may receive fixes when the impact is severe and a maintenance branch exists or can be reasonably created.
+
+## Disclosure Process
+
+Maintainers will review private reports and coordinate a fix before public disclosure when appropriate. Depending on severity and complexity, the fix may be released from `main`, an active `release/<major.minor>` branch, or both.
+
+Public advisories, release notes, and CVE requests will be handled after a fix is available or a coordinated disclosure date is reached.