Only the most recently released minor version is actively supported. I.e. if fluidsynth 2.5.5 was the latest release, vulnerabilities may be reported for any of the 2.5.x releases as well as for recent master.
The preferred way is to report vulnerabilities via Fluidsynth's Github Repository at:
https://github.com/FluidSynth/fluidsynth/security/advisories
Alternatively, vulnerabilities may be reported via EMail to Fluidsynth's current maintainer. The mail address can be obtained from https://www.fluidsynth.org .