diff --git a/include/functions b/include/functions
index 2bfae8db..1459c072 100644
--- a/include/functions
+++ b/include/functions
@@ -3043,6 +3043,18 @@
     #
     # Parameters  : $@ = command arguments
     # Returns     : None (executes the command as the appropriate user)
+	# Notes       : This allows dropping permissions for specific commands when
+	#               lynis is invoked as root, preventing privilege escalation
+	#               risks (CWE-250, CWE-271).
+	#
+	#               By isolating privileged code and dropping said privileges as
+	#               soon as possible, we can execute tools with their proper
+	#               permissions, such as in the case of Homebrew.
+	#
+	#               When available, we use `sudo` and `su`. For a strictly
+	#               POSIX-compliant environment, a C implementation could be
+	#               made using `setgid()` and `setuid()`.
+    ################################################################################
     ################################################################################
 
     RunCmdAsUser() {