If you are an official chaton or an ISP from FFDN, you are allowed to practice some pentests with the agreement of the others members of your organization EXCEPT for some servers which have a security.txt and security instructions that exclude this practice.
However, in anyway, doing something compromizing the stability and performances of ReflexLibre services or it's customer activities is DISALLOWED. If you think something is bad on this side, ask me an authenticated authorization first.
Note: ReflexLibre is a very small firm, i have no security bounty, but i can offer you a beer or an orange juice on a freesoftware event if you have found a manifest issue.
If you want to test security about YunoHost, DON'T DO IT on servers managed by ReflexLibre. You can setup your own in a lot of way, and I (ljf) can help you to get some dedicated pentesting infra.
If you found something by chance, feel free to report it.
If you found something please communicate with me in an encrypted way.
Mail: firstname.lastname@example.org - GPG C253 C03D A0BE 5A8A F3B7 F8BE 20E3 A0C7 7338 C32C
Alternative Mail: email@example.com - GPG D96B 4FEA 0C22 04A2 B17C 4F18 00A3 5C27 0CC6 A81D
Finally, if you are sure the problem concerns YunoHost, you could do a report to the YunoHost security team