You can report security bugs through the official Query Monitor Vulnerability Disclosure Program on Patchstack. The Patchstack team helps validate, triage, and handle any security vulnerabilities.
Do not report security issues on GitHub or the WordPress.org support forums. Thank you.