diff --git a/CHANGELOG b/CHANGELOG
new file mode 100644
index 00000000..960ebf96
--- /dev/null
+++ b/CHANGELOG
@@ -0,0 +1,130 @@
+Version 2.2 released: yyyy-m-d
+
+* Addidions
+Output the vulnerability fix if available
+Added 'WordPress Version Vulnerability' statistics
+Added Kali Linux on the list of pre-installed Linux distributions
+Added hosted wordpress detection. See issue #343.
+Add detection for all-in-one-seo-pack
+Use less memory when brute forcing with a large wordlist
+Memory Usage output
+Added cve tag to xml file
+Add documentation to readme
+Add --version switch
+Parse robots.txt
+Show twitter usernames
+Clean logfile on wpstools too
+Added pingback header
+Request_timeout and connect_timeout implemented
+Output interesting http-headers
+Kali Linux detection
+Ensure that brute forcing results are output even if an error occurs or the user exits
+Added debug output
+Fixed Version compare for issue #179
+Added ruby-progressbar version to Gemfile
+Use the redirect_to parameter on bruteforce
+Readded "junk removal" from usernames before output
+Add license file
+Output the timthumb version if found
+New enumeration system
+More error details for XSD checks
+Added default wp-content dir detection, see Issue #141.
+Added checks for well formed xml
+
+* Changed
+Make a seperator between plugin name and vulnerability name
+It's WordPress, not Wordpress
+Changed wordpress.com scanning error to warning. See issue #343.
+Make output lines consistent
+Replace packetstormsecurity.org to packetstormsecurity.com
+Same URL syntax for all Packet Storm Security URL's
+Packet Storm Security URL's don't need the 'friendly part' of the URL. So it can be neglected.
+Use online documentation
+User prompt on same line
+Ruby-progressbar Gemfile version bump
+Banner artwork
+Handle when there are 2 headers of the same name
+Releasing the Typhoeus version constraint
+Amended Arch Linux install instructions. See issue #183.
+
+* Update
+Plugins & Themes updated
+Update README.md
+Updated documentation
+
+* Remove
+Removed 'smileys' in output messages
+Removed 'for WordPress' and 'plugin' in title strings.
+Removed reference
+Removed useless code
+Removed duplicate vulnerabilities
+
+* General core
+Code cleaning
+Fix typo's
+clean up rspecs
+Themes & Plugins lists regenerated
+Rspecs
+Code Factoring
+Added checks for old ruby. Otherwise there will be syntax errors
+
+* Vulnerabilities
+Update WordPress Vulnerabilities
+Update timthumb due to Secunia #54801
+Added WP vuln: 3.4 - 3.5.1 wp-admin/users.php FPD
+
+* WPScan Databse Statistics:
+Total vulnerable versions: 76, 4 are new
+Total vulnerable plugins: 606, 197 are new
+Total vulnerable themes: 194, 45 are new
+Total version vulnerabilities: 274, 53 are new
+Total plugin vulnerabilities: 764, 270 are new
+Total theme vulnerabilities: 198, 46 are new
+
+* Add WP Fingerprints
+WP 3.7.1 Fingerprinting
+WP 3.7 Fingerprinting
+Ref #280 WP 3.6.1 fingerprint
+Added WP 3.6 advanced fingerprint hash. See Issue #255.
+Updated MD5 hash of WP 3.6 detection. See Issue #277.
+WP 3.5.2 Fingerprint
+Bug Fix : Wp 3.5 & 3.5.1 not detected from advanced fingerprinting.
+
+* Fixed issues
+Trying a fix for Kali Linux
+Fix #249
+Fix #275
+Fix #271 Further Instructions added to the Mac Install
+Don't skip passwords that start with a hash. This is fairly common (see RockYou list for example).
+Fix #266 - passive detection regex
+Fix #265 - remove base64 images before passive detection
+Fix #262
+Ref #260 Fixes Travis Fail, due to rspec-mock v2.14.3
+Fix for xmlrpc false positive. Issue #260.
+Fix #208 - Fixed vulnerable plugins still appear in the results
+Fix #245
+Fix #241
+Fix #232
+Fix #231
+Updated Fedora install instructions as per Issue #92
+Slight update to security plugin warning. Issue #212.
+Fix #223 - New wordpress urls for most popular plugins & themes
+Fix #177 - Passive Cache plugins detection (no spec)
+Possible fix for #169 - False reports
+Fix #182 - Remove the progress-bar static length (120), and let it to automatic
+Fix #181 - Don't exit if no usernames found during a simple enumeration (but exit if a brute force is asked)
+Fix for issue #200
+Fix #164 - README.txt detection
+Fix #166 - ListGenerator using the old Browser#get method for full generation
+Fix hacks.rb conflict
+Fix error with the -U option (undefined method 'merge' for #WpTarget:)
+Fix #153 - Disable error trace when it's from the main script
+Fix #163 - in the proper way
+Fix #144 - Use cookie jar to prevent infinite redirections loop
+Fix #158 - Add the solution to 'no such file to load -- rubygems' in the README
+Fix #152 - invalid ssl_certificate - response code 0
+Fix #147 - can't modify frozen string
+Fix #140 - xml_rpc_url in the body
+Fix #153 - No error trace when 'No argument supplied'
+
+Version 2.1 released 2013-3-4