For now, only the latest released version will receive security updates.
Even though synth is a command line tool without special privileges and usually won't touch sensitive data (unless perhaps for import), we take our users' security seriously.
If you found a vulnerability, please send an email to security@getsynth.com. Please include the synth version, operating system and CPU architecture you use as well as the steps to exploit.
We will try to get back to you in a timely manner, at least within a week. This should include either a due date for a fix or a rejection should we not agree that what was reported is in fact a vulnerability.
Once the vulnerability is fixed, we will file for a CVE in cooperation with the reporter.