You can report security bugs through the official Query Monitor Vulnerability Disclosure Program on Patchstack. The Patchstack team helps validate, triage, and handle any security vulnerabilities.
Do not report security issues on GitHub, on the WordPress.org support forums, or via email. Thank you.