diff --git a/pairing/bn256/README.md b/pairing/bn256/README.md
index 01ad08b4..9aa12eeb 100644
--- a/pairing/bn256/README.md
+++ b/pairing/bn256/README.md
@@ -13,11 +13,18 @@ Barreto-Naehrig curve as described in
 http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with
 the implementation described in that paper.
 
+### Security Warnings
+---
 This package previously claimed to operate at a 128-bit security level. However,
 recent improvements in attacks mean that is no longer true. See
-https://moderncrypto.org/mail-archive/curves/2016/000740.html.
+https://moderncrypto.org/mail-archive/curves/2016/000740.html. 
+We strongly recommend using the `BLS12-381` curve that still provide ~128-bit security and is not vulnerable to these improved attacks.
+
+#### Modulo bias in Hash()
+A modulo bias was found in [hashToPoint()](https://github.com/dedis/kyber/blob/9ac80102d756a21f318685e230e33791c44b5e2e/pairing/bn256/point.go#L239), for reason of backward compatibility we did not fix it. This problem was raised in issue [#439](https://github.com/dedis/kyber/issues/439). If backward compatibility is not a problem, and this is really the curve you want to use, a potential workaround is also suggested in the linked issue. Otherwise `BLS12-381` also provides `Hash()` as defined in [RFC9380](https://datatracker.ietf.org/doc/rfc9380/).
 
 ### Benchmarks
+---
 
 branch `master`:
 ```