If you believe that you've found a Syncthing-related security vulnerability, please report it by sending email to the address [email protected]. The PGP key for [email protected] (B683AD7B76CAB013) can be used to send encrypted mail or to verify responses received from that address.
You can read more about Syncthing security at https://syncthing.net/security/.