There is a bug bounty program for reports concerning Threema’s security. If you discover a security issue, please file a report on GObugfree (where all the details, including the bounty levels, are listed).
Please report bugs concerning Threema’s apps using the support form.