diff --git a/CHANGELOG.md b/CHANGELOG.md
index ceca5a92f..3df709402 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,15 @@
 - See docs/MiddlewareConfiguration.md
 - See https://www.pivotaltracker.com/epic/show/5024251 for details
 
+# 5.0.10
+- Bugfix: ensure RA(A) authorisations are verified against the ra_listing projection
+  this caused RAA authorisations to be available to RA users.
+- BC: SelfService 3.5 was not compatible with Middleware 5.0.9. The self vet command changed
+  from using the authoring second factor identifier to use the authoring loa. Underwater, the
+  second factor identifier field already transported the loa, in version 5.0 that field was 
+  renamed. In this release MW can support use of both fields. Version 5.1 should remove this
+  support. #402
+
 # 5.0.9
 - Support self-vetting of self-asserted tokens #401