diff --git a/CHANGELOG-3.5.md b/CHANGELOG-3.5.md
index 7e90a3704..2bed69fd5 100644
--- a/CHANGELOG-3.5.md
+++ b/CHANGELOG-3.5.md
@@ -71,6 +71,7 @@ See [code changes](https://github.com/etcd-io/etcd/compare/v3.4.0...v3.5.0) and
 
 - Add [`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` and `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` to `etcd --cipher-suites`](https://github.com/etcd-io/etcd/pull/11864).
 - Changed [the format of WAL entries related to auth for not keeping password as a plain text](https://github.com/etcd-io/etcd/pull/11943).
+- Add third party [Security Audit Report](https://github.com/etcd-io/etcd/pull/12201).
 
 ### Metrics, Monitoring
 
diff --git a/security/README.md b/security/README.md
index e9a2e0bb3..c5e17e9dd 100644
--- a/security/README.md
+++ b/security/README.md
@@ -31,3 +31,7 @@ As the security issue moves from triage, to identified fix, to release planning
 ## Public Disclosure Timing
 
 A public disclosure date is negotiated by the etcd Product Security Committee and the bug reporter. We prefer to fully disclose the bug as soon as possible once user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. As a basic default, we expect report date to disclosure date to be on the order of 7 days. The etcd Product Security Committee holds the final say when setting a disclosure date.
+
+## Security Audit
+
+A third party security audit was performed by Trail of Bits, find the full report [here](SECURITY_AUDIT.pdf).