# Security
Pond stores conversation history that may include API keys, secrets, file paths, and other sensitive content. Treat the data directory and any `.pond` archive as you would a secrets store.
To report a security vulnerability, please use GitHub's [private vulnerability reporting](https://github.com/tenequm/pond/security/advisories/new) rather than a public issue. I will acknowledge within 7 days.
There is no security SLA; pond is pre-v1 and ships under the [Apache-2.0](LICENSE) license, without warranty.