Only sort of related, but one time some of the YouTube engineering team made a code change to kill off usage of Internet Explorer 6 by bypassing the usual code screening process to circumvent management. Their boss reprimanded them but eventually got in on it, without going through the appropriate channels. Then the Docs team saw the banner they showed YouTube users, thought they had actually received approval from management and used it as evidence to convince their managers to implement their own banner (who would have normally refused).
All they received was a small rebuke. In fact, management praised the team for the end result of decimating IE6 usage, as intended.
Then one of the architects of the scheme blogged about it in retrospect years later.
It was a configuration change so there were no dangers adding it, so she being a security engineer isn't relevant. The right punishment would be to tell her what channels she can use to send union messages and tell her to just do security related popups in the future. If she continued sending messages like this then fire her, but it is dumb that she got fired over something that would take literally 5 minutes to fix.
Google did tolerate exactly the same kind of behavior from the internal OS distribution team before, you could argue that security is even more important there than in a browser plugin.
I am not a Googler but I reiterate I know exactly 0 CSOs that would tolerate this. You providing an example outside of security team kindah reinforces my point.
Google has a lot of security teams since they do all of their infra themselves. The people who push security patches to peoples OS's is a security team, and they used that channel to push a message similar to this.
