diff --git a/crates/borsh/RUSTSEC-0000-0000.md b/crates/borsh/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..9004399
--- /dev/null
+++ b/crates/borsh/RUSTSEC-0000-0000.md
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "borsh"
+date = "2023-04-12"
+url = "https://github.com/near/borsh-rs/issues/19"
+references = ["https://github.com/near/borsh-rs/pull/136"]
+informational = "unsound"
+categories = ["memory-corruption"]
+
+[affected]
+[versions]
+patched = []
+```
+
+# Parsing borsh messages with ZST which are not-copy/clone is unsound
+
+Affected versions of borsh cause undefined behaviour when zero-sized-types (ZST) are parsed and the Copy/Clone traits are not implemented/derived.
+For instance if 1000 instances of a ZST are deserialized, and the ZST is not copy (this can be achieved through a a singleton), 
+then accessing/writing to deserialized data will cause a segmentation fault.
+
+There is currently no way for borsh to read data without also providing a Rust type. Therefore, it there are not ZST used for serialization, then you are not affected by this issue.