CHANGELOG: update with added audit report

Update the changelog for recently added audit report. Also mention the
report in the security readme.

CHANGELOG-3.5.md

@@ -71,6 +71,7 @@ See [code changes](https://github.com/etcd-io/etcd/compare/v3.4.0...v3.5.0) and
 
 - Add [`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` and `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` to `etcd --cipher-suites`](https://github.com/etcd-io/etcd/pull/11864).
 - Changed [the format of WAL entries related to auth for not keeping password as a plain text](https://github.com/etcd-io/etcd/pull/11943).
+- Add third party [Security Audit Report](https://github.com/etcd-io/etcd/pull/12201).
 
 ### Metrics, Monitoring
 

security/README.md

@@ -31,3 +31,7 @@ As the security issue moves from triage, to identified fix, to release planning
 ## Public Disclosure Timing
 
 A public disclosure date is negotiated by the etcd Product Security Committee and the bug reporter. We prefer to fully disclose the bug as soon as possible once user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. As a basic default, we expect report date to disclosure date to be on the order of 7 days. The etcd Product Security Committee holds the final say when setting a disclosure date.
+
+## Security Audit
+
+A third party security audit was performed by Trail of Bits, find the full report [here](SECURITY_AUDIT.pdf).