diff --git a/README.md b/README.md
index b1dcd7c..de2bd21 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,9 @@ This is a simple tool that can be used to find vulnerable instances of
 log4j 1.x and 2.x (CVE-2019-17571, CVE-2021-44228) in installations of
 Java software such as web applications. JAR and WAR archives are
 inspected and class files that are known to be vulnerable are flagged.
+The scan happens recursively: WAR files containing WAR files
+containing JAR files containing vulnerable class files ought to be
+flagged properly.
 
 This tool currently checks for known build artifacts that have been
 obtained through Maven. From-source rebuilds as they are done for