When dealing with free and open-source software, we have to work together with reporters, upstream developers and other distributions to protect end users from security threats. For distributions, it is a challenge to deal with a huge collection of software packages, both internally and externally developed, employing many different development procedures. This talk looks at best practices which emerged for vulnerability tracking. Tracking already reported vulnerabilities is only one aspect, however. We discuss tool-chain based hardening features (which can sometimes turn vulnerabilities exploitable for code execution into mere crashers), some remaining low-hanging fruits in this area, and more radical approaches for avoiding low-level vulnerabilities related to memory safety. Some of the APIs we provide are difficult to use, and we look at ways to detect API misuse statically, across an entire distribution.