Enhance readme with API access and FAQ sections

readme.md

@@ -15,6 +15,7 @@ wp package install 10up/wpcli-vulnerability-scanner:dev-stable
 ```
 
 ### API Access
+
 WP-CLI Vulnerability Scanner works with [WPScan](https://wpscan.com), [Patchstack](https://patchstack.com/) and [Wordfence Intelligence](https://www.wordfence.com/threat-intel/) to check reported vulnerabilities; you can choose any one of these three to use. You will need to add a constant in your `wp-config.php` to decide which API service you want to use (by default **WPScan API** will be used).
 
 To use **WPScan API**:
@@ -39,7 +40,6 @@ For WPScan and Patchstack you will need to register for a user account and suppl
 define( 'VULN_API_TOKEN', 'YOUR_TOKEN_HERE' );
 ```
 
-
 ### Global command, manually
 
 Clone this repo, checkout to stable branch and require `wpcli-vulnerability-scanner.php` from wp-cli config.  E.g. in `~/.wp-cli/config.yml` [[other config locations](https://make.wordpress.org/cli/handbook/references/config/#config-files)]
@@ -268,6 +268,12 @@ composer behat -- features/vuln-patchstack.feature
 composer behat -- features/vuln-wordfence.feature
 ```
 
+## Frequently Asked Questions
+
+### Where do I report security bugs found in this plugin?
+
+Please report security bugs found in the source code of the undefined plugin through the [Patchstack Vulnerability Disclosure  Program](https://patchstack.com/database/vdp/189e9e72-27f1-4d80-86fd-7a28975550af).  The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin.
+
 ## Support Level
 
 **Active:** 10up is actively working on this, and we expect to continue work for the foreseeable future including keeping tested up to the most recent version of WordPress. Bug reports, feature requests, questions, and pull requests are welcome.