If you believe that you've found a Syncthing-related security vulnerability, please report it by sending email to the address security@syncthing.net. The PGP key for security@syncthing.net (B683AD7B76CAB013) can be used to send encrypted mail or to verify responses received from that address.
You can read more about Syncthing security at https://syncthing.net/security/.