diff --git a/UPGRADE.md b/CHANGELOG.md
similarity index 91%
rename from UPGRADE.md
rename to CHANGELOG.md
index 3c2fc50..94595cc 100644
--- a/UPGRADE.md
+++ b/CHANGELOG.md
@@ -1,15 +1,22 @@
+# Changelog
 
-## Added
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
 
 - Added `owasp:api2:2023-short-lived-access-tokens` to error on OAuth 2.x flows which do not use a refresh token.
 - Added `owasp:api3:2023-no-unevaluatedProperties` (format `oas3_1` only.)
 - Added `owasp:api3:2023-constrained-unevaluatedProperties` (format `oas3_1` only.)
 - Added `owasp:api5:2023-admin-security-unique`.
 
-## Modified
+### Changed
 
 - Renamed `owasp:api1:2019-no-numeric-ids` to `owasp:api1:2019-no-numeric-ids`.
-- Deleted `owasp:api2:2023-protection-global-unsafe` as it allowed for unprotected POST, PATCH, PUT, DELETE and that's always going to be an issue. Use the new `owasp:api2:2023-write-restricted` rule which does not allow these operations to ever disable security, or use [Spectral overrides](https://docs.stoplight.io/docs/spectral/e5b9616d6d50c-rulesets) if you have an edge case.
 - Renamed `owasp:api2:2019-protection-global-unsafe-strict` to `owasp:api2:2023-write-restricted`.
 - Renamed `owasp:api2:2019-protection-global-safe` to `owasp:api2:2023-read-restricted` and increased severity from `info` to `warn`.
 - Renamed `owasp:api2:2019-auth-insecure-schemes` to `owasp:api2:2023-auth-insecure-schemes`.
@@ -36,3 +43,7 @@
 - Renamed `owasp:api7:2023-define-error-validation` to `owasp:api8:2023-define-error-validation`.
 - Renamed `owasp:api7:2023-define-error-responses-401` to `owasp:api8:2023-define-error-responses-401`.
 - Renamed `owasp:api7:2023-define-error-responses-500` to `owasp:api8:2023-define-error-responses-500`.
+
+### Removed
+
+- Deleted `owasp:api2:2023-protection-global-unsafe` as it allowed for unprotected POST, PATCH, PUT, DELETE and that's always going to be an issue. Use the new `owasp:api2:2023-write-restricted` rule which does not allow these operations to ever disable security, or use [Spectral overrides](https://docs.stoplight.io/docs/spectral/e5b9616d6d50c-rulesets) if you have an edge case.
diff --git a/README.md b/README.md
index 6b2ca3d..476e302 100644
--- a/README.md
+++ b/README.md
@@ -42,13 +42,13 @@ You should see some output like this:
   44:17      warning  owasp:api8:2023-define-error-responses-400:400 response should be defined.. Missing responses[400]  paths./upload.post.responses
   44:17      warning  owasp:api8:2023-define-error-responses-429:429 response should be defined.. Missing responses[429]  paths./upload.post.responses
   44:17      warning  owasp:api8:2023-define-error-responses-500:500 response should be defined.. Missing responses[500]  paths./upload.post.responses
-  45:15        error  owasp:api4:2019-rate-limit                  All 2XX and 4XX responses should define rate limiting headers.  paths./upload.post.responses[201]
-  47:15        error  owasp:api4:2019-rate-limit                  All 2XX and 4XX responses should define rate limiting headers.  paths./upload.post.responses[401]
-  53:15        error  owasp:api4:2019-rate-limit                  All 2XX and 4XX responses should define rate limiting headers.  paths./upload.post.responses[403]
-  59:15        error  owasp:api4:2019-rate-limit                  All 2XX and 4XX responses should define rate limiting headers.  paths./upload.post.responses[409]
-  65:15        error  owasp:api4:2019-rate-limit                  All 2XX and 4XX responses should define rate limiting headers.  paths./upload.post.responses[422]
- 193:16  information  owasp:api2:2019-protection-global-safe      This operation is not protected by any security scheme.  paths./sites.get.security
- 210:16  information  owasp:api2:2019-protection-global-safe      This operation is not protected by any security scheme.  paths./species.get.security
+  45:15        error  owasp:api4:2023-rate-limit                  All 2XX and 4XX responses should define rate limiting headers.  paths./upload.post.responses[201]
+  47:15        error  owasp:api4:2023-rate-limit                  All 2XX and 4XX responses should define rate limiting headers.  paths./upload.post.responses[401]
+  53:15        error  owasp:api4:2023-rate-limit                  All 2XX and 4XX responses should define rate limiting headers.  paths./upload.post.responses[403]
+  59:15        error  owasp:api4:2023-rate-limit                  All 2XX and 4XX responses should define rate limiting headers.  paths./upload.post.responses[409]
+  65:15        error  owasp:api4:2023-rate-limit                  All 2XX and 4XX responses should define rate limiting headers.  paths./upload.post.responses[422]
+ 193:16  information  owasp:api2:2023-read-restricted             This operation is not protected by any security scheme.  paths./sites.get.security
+ 210:16  information  owasp:api2:2023-read-restricted             This operation is not protected by any security scheme.  paths./species.get.security
 ```
 
 Now you have some things to work on for your API. Thankfully these are only at the `warning` and `information` severity, and that is not going to [fail continuous integration](https://meta.stoplight.io/docs/spectral/ZG9jOjExNTMyOTAx-continuous-integration) (unless [you want them to](https://meta.stoplight.io/docs/spectral/ZG9jOjI1MTg1-spectral-cli#error-results)).