wish: update README to document whether the scanning or local or remote

[markstos]

It's important to note for privacy if this tool does the scanning locally or if the user's is ever uploaded for scanning. If the scanning happens locally, clarify how the local vuln database is updated.

[thisislawatts]

Hey @markstos, this is an interesting question. Would you be able to explain more about the concern you'd like addressed in the documentation?

At the moment the only details which leave your machine are a package name and version string.

[markstos]

Thanks for the quick reply. For example, if you were uploading entire code documents that would be a concern. A think a simple statement could suffice:

To perform the scanning, Snyk uploads related package names and version strings to check against our constantly updated vulnerability database.

[thisislawatts]

Thanks @markstos, thanks for clarifying. Please see the associated PR and let me know if you think there is any further information we could provide here.