docs: improve limitations section (#1496) (#1604)

Author: XDRAGON2002

README.md

@@ -255,8 +255,18 @@ This tool is meant to be used as a quick-to-run, easily-automatable check in a
 non-malicious environment so that developers can be made aware of old libraries
 with security issues that have been compiled into their binaries.
 
+The tool does not guarantee that any vulnerabilities reported are actually present or exploitable, neither is it able to find all present vulnerabilities with a guarantee.
+
+Users can add triage information to reports to mark issues as false positives, false negatives, indicate that the risk has been mitigated by configuration/usage changes, and so on.  
+
+Triage details can be re-used on other projects so, for example, triage on a Linux base image could be applied to multiple containers using that image.
+
+For more information and usage of triage information with the tool kindly have a look [here](https://cve-bin-tool.readthedocs.io/en/latest/MANUAL.html#i-input-file-input-file-input-file).
+
 If you are using the binary scanner capabilities, be aware that we only have a limited number of binary checkers (see table above) so we can only detect those libraries. Contributions of new checkers are always welcome! You can also use an alternate way to detect components (for example, a bill of materials tool such as [tern](https://github.com/tern-tools/tern)) and then use the resulting list as input to cve-bin-tool to get a more comprehensive vulnerability list.
 
+The tool uses a vulnerability database in order to detect the present vulnerabilities, in case the database is not frequently updated (specially if the tool is used in offline mode), the tool would be unable to detect any newly discovered vulnerabilities. Hence it is highly advised to keep the database updated.
+
 ## Requirements
 
 To use the auto-extractor, you may need the following utilities depending on the