Mention security assessment by NCC Group

Microsoft Corporation had NCC Group do a security assessment which included portions of fxamacker/cbor v2.4.0 in its scope.
fxamacker · Jul 16, 2022 · 77950b0 · 77950b0
1 parent ab3392f
commit 77950b0
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -16,6 +16,8 @@ Features include CBOR tags, duplicate map key detection, float64→32→16, and
 
 Using CBOR [Preferred Serialization](https://www.rfc-editor.org/rfc/rfc8949.html#name-preferred-serialization) with Go struct tags (`toarray`, `keyasint`, `omitempty`) reduces programming effort and creates smaller encoded data size.
 
+Microsoft Corporation had NCC Group produce a [security assessment (PDF)](https://github.com/veraison/go-cose/blob/v1.0.0-rc.1/reports/NCC_Microsoft-go-cose-Report_2022-05-26_v1.0.pdf) which includes portions of this library in its scope.
+
 fxamacker/cbor has 98% coverage and is fuzz tested.  It won't exhaust RAM decoding 9 bytes of bad CBOR data.  It's used by Arm Ltd., Berlin Institute of Health at Charité, Chainlink, ConsenSys, Dapper Labs, Duo Labs (cisco), EdgeX Foundry, Mozilla, Netherlands (govt), Oasis Labs, Taurus SA, Teleport, and others.
 
 Install with `go get github.com/fxamacker/cbor/v2` and `import "github.com/fxamacker/cbor/v2"`.