Mozilla has a well-defined process for handling security vulnerabilities based around responsible disclosure.

If you believe you have found a Kinto-related security vulnerability, you should visit the Mozilla bug bounty program for information on how to submit them.

This Bugzilla template will help you file a security vulnerability directly against Kinto (Remote Settings at Mozilla).