If you find a security issue with go-dqlite, the best way to report it is using GitHub's private vulnerability reporting. Here is the form to submit a report, and here is the detailed documentation for the GitHub feature.
Once you submit a report, the dqlite team will work with you to figure out whether there is a security issue. If so, we will develop a fix, get a CVE assigned, and coordinate the release of the fix. The Ubuntu Security disclosure and embargo policy contains more information about what you can expect during this phase, and what we expect from you.