Pond stores conversation history that may include API keys, secrets, file paths, and other sensitive content. Treat the data directory and any .pond archive as you would a secrets store.
To report a security vulnerability, please use GitHub's private vulnerability reporting rather than a public issue. I will acknowledge within 7 days.
There is no security SLA; pond is pre-v1 and ships under the Apache-2.0 license, without warranty.