diff --git a/README.md b/README.md
index 1010e39..5893498 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,7 @@
 * [Security Model](#security-model)
 * [Threat Model](#threat-model)
 * [Usage](#usage)
+* [Changelog](#changelog)
 * [GDPR](#gdpr)
 * [YAGNI](#yagni)
 * [License](#license)
@@ -40,10 +41,6 @@ Scenario (2) is defended against because the server operator does not know the s
 
 `ipscrub` can be built statically with nginx or as a [dynamic module](https://www.nginx.com/blog/compiling-dynamic-modules-nginx-plus/). See the `Makefile` for examples of both ways.
 
-#### Packages
-
-- [Arch Linux](https://aur.archlinux.org/packages/nginx-mod-ipscrub/) (thanks to [deep-42-thought](https://github.com/deep-42-thought))
-
 ### Configuration
 
 In your `nginx.conf`,
@@ -59,6 +56,11 @@ In your `nginx.conf`,
 
 `make test`
 
+### Changelog
+
+- 1.0.1 fixed vulnerability to unmasking hashed IPs (thanks to [@marcan](https://github.com/marcan))
+- 1.0.0 initial release
+
 ## GDPR
 
 [GDPR](https://www.eugdpr.org) goes into effect on May 25, 2018. It legislates the handling of personal data about your users, including IP addresses.