Pi-hole welcomes all responsible disclosures.

NEVER open an issue to report or discuss a security problem.
Vulnerabilities should only be discussed privately until the official announcement on the release date.

Please, send a detailed mail to disclosure@pi-hole.net to report Pi-hole vulnerabilities.
Your e-mail should include information like:

• A description to demonstrate an exploit (including steps to reproduce it).
• The affected platforms and scenarios (the vulnerability might only affect setups with case-sensitive file systems, for example).
• The name and affiliation of the security researchers who are involved in the discovery, if any.
• Whether the vulnerability has already been disclosed.