You are not allowed to practice some pentests without agreement of the admin.
If you want to test security about YunoHost, DON'T DO IT on this server. You can setup your own in a lot of way, and YunoHost can help you to get some dedicated pentesting infra.
If you found something by chance, feel free to report it on this address: abuse@maindomain.tld
If you think the problem concerns all YunoHost instances, you could do a report to the YunoHost security team
Security.txt allows security researchers to signal easily information about security holes. We could generate something like this:
/.well-known/security.txt
/security.html
https://securitytxt.org/