diff --git a/ql/src/queries/security/cwe-732/WeakFilePermissions.ql b/ql/src/queries/security/cwe-732/WeakFilePermissions.ql
index d75aa6831e7..7d6916e667c 100644
--- a/ql/src/queries/security/cwe-732/WeakFilePermissions.ql
+++ b/ql/src/queries/security/cwe-732/WeakFilePermissions.ql
@@ -40,6 +40,8 @@ bindingset[p]
 string access(int p) {
   p.bitAnd(2) != 0 and result = "writable"
   or
+  // report only the "most permissive" permission, i.e. report the file as
+  // readable only if it is not also writable
   p.bitAnd(2) = 0 and p.bitAnd(4) != 0 and result = "readable"
 }