diff --git a/README.md b/README.md
index 59485f9..4e77f54 100644
--- a/README.md
+++ b/README.md
@@ -68,8 +68,6 @@ const plaintext = stream.decrypt(ciphertext); // bytesToUtf8(plaintext)
 - [Speed](#speed)
 - [Contributing & testing](#contributing--testing)
 - [Resources](#resources)
-  - [Projects using ciphers](#projects-using-ciphers)
-- [License](#license)
 
 ## Modules
 
@@ -324,6 +322,8 @@ The library has not been independently audited yet.
 It is tested against property-based, cross-library and Wycheproof vectors,
 and has fuzzing by [Guido Vranken's cryptofuzz](https://github.com/guidovranken/cryptofuzz).
 
+If you see anything unusual: investigate and report.
+
 ### Constant-timeness
 
 _JIT-compiler_ and _Garbage Collector_ make "constant time" extremely hard to
@@ -336,31 +336,24 @@ Use low-level libraries & languages. Nonetheless we're targetting algorithmic co
 
 ### Supply chain security
 
-1. **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures.
-2. **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs
-3. **Rare releasing** is followed.
-   The less often it is done, the less code dependents would need to audit
-4. **Dependencies** are minimal:
-   - All deps are prevented from automatic updates and have locked-down version ranges. Every update is checked with `npm-diff`
-   - Updates themselves are rare, to ensure rogue updates are not catched accidentally
-5. devDependencies are only used if you want to contribute to the repo. They are disabled for end-users:
+* **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures.
+* **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs
+* **Rare releasing** is followed to ensure less re-audit need for end-users
+* **Dependencies** are minimized and locked-down:
+   - If your app has 500 dependencies, any dep could get hacked and you'll be downloading
+     malware with every install. We make sure to use as few dependencies as possible
+   - We prevent automatic dependency updates by locking-down version ranges. Every update is checked with `npm-diff`
+* **Dev Dependencies** are only used if you want to contribute to the repo. They are disabled for end-users:
    - scure-base, micro-bmark and micro-should are developed by the same author and follow identical security practices
    - prettier (linter), fast-check (property-based testing) and typescript are used for code quality, vector generation and ts compilation. The packages are big, which makes it hard to audit their source code thoroughly and fully
 
-We consider infrastructure attacks like rogue NPM modules very important;
-that's why it's crucial to minimize the amount of 3rd-party dependencies & native bindings.
-If your app uses 500 dependencies, any dep could get hacked and you'll be
-downloading malware with every install. Our goal is to minimize this attack vector.
-
-If you see anything unusual: investigate and report.
-
 ### Randomness
 
 We're deferring to built-in
 [crypto.getRandomValues](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues)
 which is considered cryptographically secure (CSPRNG).
-
 In the past, browsers had bugs that made it weak: it may happen again.
+
 ## Speed
 
 To summarize, noble is the fastest JS implementation.
@@ -445,18 +438,9 @@ chacha (encrypt, 1MB)
 
 ## Resources
 
-- [Fast-key-erasure random-number generators](https://blog.cr.yp.to/20170723-random.html)
-- [The design of Chacha20](https://loup-vaillant.fr/tutorials/chacha20-design)
-- [The design of Poly1305](https://loup-vaillant.fr/tutorials/poly1305-design)
-- [How to design a new block cipher?](https://crypto.stackexchange.com/a/39792/71535)
-- Multi-user / multi-key attacks
-  - [Break a dozen secret keys, get a million more for free](https://blog.cr.yp.to/20151120-batchattacks.html)
-  - [128 Bits of Security and 128 Bits of Security: Know the Difference](https://loup-vaillant.fr/tutorials/128-bits-of-security)
-
-### Projects using ciphers
-
-- [js-libp2p-noise](https://github.com/ChainSafe/js-libp2p-noise)
-- See [full list of projects on GitHub](https://github.com/paulmillr/noble-curves/network/dependents).
+Check out [paulmillr.com/noble](https://paulmillr.com/noble/)
+for useful resources, articles, documentation and demos
+related to the library.
 
 ## License