resolve and fix a reported vulnerability.

## Vulnerability Management Process

The vulnerability management process requires that the vulnerability report
contains the following information:

- The project / component that contains the reported vulnerability.
- A description of the vulnerability. In particular, the type of the
   reported vulnerability and how it might be exploited. Alternatively,

On Windows, the mode bits reported by [Lstat] and [Stat] for
reparse points changed. Mount points no longer have [ModeSymlink] set,
and reparse points that are not symlinks, Unix sockets, or dedup files
now always have [ModeIrregular] set.
This behavior is controlled by the `winsymlink` setting.
For Go 1.23, it defaults to `winsymlink=1`.

  // for which capacity was reported. If not set, the storage is
  // not accessible from any node in the cluster. If empty, the
  // storage is accessible from all nodes. This field is
  // immutable.
  //
  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector nodeTopology = 2;

  // storageClassName represents the name of the StorageClass that the reported capacity applies to.

## Enforcement

Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by contacting the project team at ******@****.***. The project team
will review and investigate all complaints, and will respond in a way that it deems
appropriate to the circumstances. The project team is obligated to maintain
confidentiality with regard to the reporter of an incident.
Further details of specific enforcement policies may be posted separately.

  // for which capacity was reported. If not set, the storage is
  // not accessible from any node in the cluster. If empty, the
  // storage is accessible from all nodes. This field is
  // immutable.
  //
  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector nodeTopology = 2;

  // storageClassName represents the name of the StorageClass that the reported capacity applies to.

(Older toolchains ignore `//go:debug` directives entirely.)

The defaults that will be compiled into a main package
are reported by the command:

{{raw `
	go list -f '{{.DefaultGODEBUG}}' my/main/package
`}}

Only differences from the base Go toolchain defaults are reported.

When testing a package, `//go:debug` lines in the `*_test.go`
files are treated as directives for the test's main package.

```sh
curl https://play.min.io/minio/v2/metrics/cluster
```

### List of metrics reported Cluster and Bucket level

[The list of metrics reported can be here](https://github.com/minio/minio/blob/master/docs/metrics/prometheus/list.md)

### Configure Alerts for Prometheus

Violations of the Code of Conduct can occur in any setting, even those unrelated to the project. We will only consider complaints about conduct that has occurred within one year of the report.


## Enforcement

the behavior you are seeing is confirmed as a bug or issue, it can easily be re-raised in the issue tracker.

## Filing issues

Sensitive security-related issues should be reported to [******@****.***](mailto:******@****.***).
See the [security policy](https://golang.org/security) for details.

The recommended way to file an issue is by running `go bug`.

### Disclosure Process

MinIO uses the following disclosure process:

1. Once the security report is received one member of the security team tries to verify and reproduce
   the issue and determines the impact it has.
2. A member of the security team will respond and either confirm or reject the security report.
   If the report is rejected the response explains why.
3. Code is audited to find any potential similar problems.