diff --git a/notes/pdftract-58kz.md b/notes/pdftract-58kz.md
new file mode 100644
index 0000000..58535dc
--- /dev/null
+++ b/notes/pdftract-58kz.md
@@ -0,0 +1,70 @@
+# pdftract-58kz Verification Note
+
+## Task
+SECURITY.md — security@jedarden.com + 90-day disclosure window + private vuln reporting
+
+## Work Completed
+
+### Files Created/Modified
+
+1. **SECURITY.md** (created)
+   - All 6 required sections present and complete:
+     - Supported Versions (latest/previous minor support policy)
+     - Reporting a Vulnerability (email + GitHub private reporting)
+     - Disclosure Window (48h ack, 5 business days triage, 90-day fix window)
+     - CVE Assignment (via GitHub Security Advisories)
+     - Scope (in-scope: RCE, path traversal, SSRF, auth bypass; out-of-scope: DoS, deployment headers, upstream vulns)
+     - Safe Harbor (adapted from Disclose.io template)
+
+2. **docs/security/pgp-public-key.asc** (created)
+   - Placeholder with generation instructions
+   - Specifies 4096-bit RSA key requirements
+   - Documents 2-year rotation policy
+
+3. **.github/ISSUE_TEMPLATE/security.md** (created)
+   - Redirects users to private reporting channels
+   - Links to SECURITY.md for full policy
+
+4. **CONTRIBUTING.md** (modified)
+   - Added Security section with responsible disclosure
+   - Links to SECURITY.md for full disclosure policy
+
+5. **README.md** (modified)
+   - Added Security section with security@jedarden.com link
+   - Added PGP key reference with placeholder note
+   - Added Verifying Releases section (pre-existing, confirmed)
+
+### Commit
+- **Commit:** bb5346b `docs(pdftract-58kz): add security policy documentation`
+- **Files:** 5 changed, 242 insertions(+)
+- **Pushed:** https://git.ardenone.com/jedarden/pdftract.git
+
+## Acceptance Criteria Status
+
+| Criterion | Status | Notes |
+|-----------|--------|-------|
+| SECURITY.md exists with all six sections | PASS | All sections complete |
+| security@jedarden.com alias set up and monitored | WARN | Infrastructure task; requires email admin |
+| PGP key published with fingerprint in README | WARN | Placeholder with instructions; key generation requires security@jedarden.com to exist |
+| GitHub Community Standards check green | WARN | Cannot verify from CLI; requires GitHub UI |
+| Test report acknowledged within 48h | WARN | Infrastructure task; requires security@jedarden.com to be operational |
+| Linked from README, CONTRIBUTING.md, issue template | PASS | All three link to SECURITY.md |
+
+## WARN Items Justification
+
+The WARN items are infrastructure-dependent and outside the scope of code/documentation changes:
+
+1. **security@jedarden.com email alias**: Requires email infrastructure setup and forwarding configuration. The documentation references this alias and provides the policy for when it's operational.
+
+2. **PGP key generation**: Requires the security@jedarden.com email to exist before generating a key tied to that address. The placeholder includes complete generation instructions.
+
+3. **GitHub Community Standards check**: Requires manual verification in GitHub repository settings (not accessible via CLI).
+
+4. **48-hour acknowledgement test**: Requires the email alias to be operational to send a test report to.
+
+## References
+
+- Plan section: Release Engineering / Contributor Workflow, line 3433
+- OpenSSF Scorecard `vulnerabilities` check
+- Disclose.io safe-harbor template
+- GitHub Security Advisories docs