diff --git a/README b/README
index 5e24bc7..5d2477e 100644
--- a/README
+++ b/README
@@ -34,7 +34,9 @@ Specify files to encrypt by creating a .gitattributes file:
 Like a .gitignore file, it can match wildcards and should be checked into
 the repository.  See below for more information about .gitattributes.
 Make sure you don't accidentally encrypt the .gitattributes file itself
-(or other git files like .gitignore or .gitmodules).
+(or other git files like .gitignore or .gitmodules).  Make sure your
+.gitattributes rules are in place *before* you add sensitive files, or
+those files won't be encrypted!
 
 Share the repository with others (or with yourself) using GPG:
 
@@ -102,6 +104,10 @@ instead.  (Note: no endorsement is made of git-remote-gcrypt's security.)
 git-crypt does not encrypt file names, commit messages, symlink targets,
 gitlinks, or other metadata.
 
+git-crypt does not hide when a file does or doesn't change, the length
+of a file, or the fact that two files are identical (see "Security"
+section above).
+
 Files encrypted with git-crypt are not compressible.  Even the smallest
 change to an encrypted file requires git to store the entire changed file,
 instead of just a delta.
diff --git a/README.md b/README.md
index 5958a7c..2fffbef 100644
--- a/README.md
+++ b/README.md
@@ -35,7 +35,9 @@ Specify files to encrypt by creating a .gitattributes file:
 Like a .gitignore file, it can match wildcards and should be checked into
 the repository.  See below for more information about .gitattributes.
 Make sure you don't accidentally encrypt the .gitattributes file itself
-(or other git files like .gitignore or .gitmodules).
+(or other git files like .gitignore or .gitmodules).  Make sure your
+.gitattributes rules are in place *before* you add sensitive files, or
+those files won't be encrypted!
 
 Share the repository with others (or with yourself) using GPG:
 
@@ -104,6 +106,10 @@ instead.  (Note: no endorsement is made of git-remote-gcrypt's security.)
 git-crypt does not encrypt file names, commit messages, symlink targets,
 gitlinks, or other metadata.
 
+git-crypt does not hide when a file does or doesn't change, the length
+of a file, or the fact that two files are identical (see "Security"
+section above).
+
 Files encrypted with git-crypt are not compressible.  Even the smallest
 change to an encrypted file requires git to store the entire changed file,
 instead of just a delta.