If part of their job is working with the OSS community I don’t see anything wrong (and I just finished my annual training a few weeks ago, so it’s still fresh in my mind).
Edit: keeping an “official” repo secret does seem like an issue, but public posts about the correct process to contribute upstream doesn’t seem like a problem.
All I see is two people failing their corporately mandated cyber security training at the same time.
If part of their job is working with the OSS community I don’t see anything wrong (and I just finished my annual training a few weeks ago, so it’s still fresh in my mind).
Edit: keeping an “official” repo secret does seem like an issue, but public posts about the correct process to contribute upstream doesn’t seem like a problem.