Add SECURITY.md and PR template

- Add responsible disclosure policy for crypto library security
- Add pull request template with checklist

Author: koko1123

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,19 @@
+## What
+
+Brief description of the change.
+
+## Why
+
+What problem does this solve or what feature does it add?
+
+## How
+
+Key implementation details or approach taken.
+
+## Checklist
+
+- [ ] `zig build test` passes
+- [ ] `zig fmt --check src/ tests/` passes
+- [ ] New functionality includes tests
+- [ ] No external dependencies added
+- [ ] CHANGELOG.md updated (if user-facing change)

SECURITY.md

@@ -0,0 +1,37 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| 0.1.x   | Yes       |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in eth.zig, please report it responsibly.
+
+**Do not open a public GitHub issue for security vulnerabilities.**
+
+Instead, email **security@strobelabs.com** with:
+
+1. A description of the vulnerability
+2. Steps to reproduce
+3. Potential impact
+4. Suggested fix (if any)
+
+We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation within 7 days for critical issues.
+
+## Scope
+
+eth.zig includes cryptographic primitives (secp256k1 ECDSA, Keccak-256, BIP-32/39/44) implemented in pure Zig. Security issues in these components are treated as critical.
+
+Areas of particular concern:
+
+- **Private key handling** -- memory leaks, timing attacks, improper zeroing
+- **Signature generation** -- RFC 6979 nonce generation, low-S normalization
+- **Transaction signing** -- replay protection, chain ID encoding
+- **ABI encoding/decoding** -- buffer overflows, incorrect padding
+
+## Recognition
+
+We credit reporters in the CHANGELOG (with permission) when a vulnerability is confirmed and fixed.