The problem is known: despite our best efforts to ship secure products, every year our industry continues to deal with a large number of vulnerabilities in software, hardware, and services. Improvements in tools to identify vulnerabilities prior to release, increased training and pen-testing, and established security teams have helped, but we are all still spending too much time and energy fixing individual security issues on released products. This talk is about how security teams, especially PSIRTs, can leverage the information, insights, and (yes) pain of dealing with security vulnerabilities over and over again to drive changes in their company's products and services. This talk will present some of the strategies we have used at Microsoft and in the Microsoft Security Response Center to address bug classes or common vulnerabilities across our products and services. We will share successes, failures, and current endeavors.