Amy Rose has been the Technical Project Manager for the Lenovo Product Security Incident Response team for two years, driving closure of security issues from a wide range of sources across all Lenovo products. Amy has a background in computer networking and customer support engineering for Lenovo desktops and servers. She has 6 patents granted and over 40 more patents pending with the US Patent Office covering a breadth of technologies, from servers to mobile devices, software and security. With all of the attention users pay to updating their computer’s software, when was the last time you updated your computer’s BIOS – the embedded software that makes the whole system work? We propose to discuss a zero-day vulnerability that received a lot of attention in the media – the ThinkPWN BIOS vulnerability - and the steps that Lenovo and the industry took to fix a serious issue overlooked for years. We plan to briefly discuss the mechanics of the vulnerability and the multiple-vendor nature of today’s computer BIOS, but then would like to concentrate on the timeline of the event and how our Product Security Incident Response team dealt with the fallout. This issue was discovered by a researcher who posted his findings on twitter and his blog without a coordinated disclosure, and we will discuss the challenge of getting multiple teams and third party companies (for example code from a leading CPU supplier as well as our independent BIOS vendors) to find and fix the problem once the proof of concept had already been released and how we dealt with the media attention and pressure from our customers as a result. We will discuss how this turned from a Lenovo-specific discovery (hence the name “ThinkPwn”) into an industry-wide issue crossing multiple layers of the supply chain. The root of the problem was in a piece of source code written by a leading CPU supplier many years ago and used in various vendor BIOSes, and we will talk about responses from other vendors. This presentation could help other companies who have not dealt with a high media impact zero day vulnerability, and it could foster a discussion about how various companies deal with zero day vulnerabilities and researchers who do not want to coordinate disclosures.