Security researchers are applying software reliability models to vulnerability data, in an attempt to model the vulnerability discovery process. I show that most current work on these vulnerability discovery models (VDMs) is theoretically unsound. I propose a standard set of definitions relevant to measuring characteristics of vulnerabilities and their discovery process. I then describe the theoretical requirements of VDMs and highlight the shortcomings of existing work, particularly the assumption that vulnerability discovery is an independent process. Categories and Subject Descriptors D.2.8 [Software Engineering]: Metrics—product metrics, security metrics; G.3 [Probability and Statistics]: [reliability and life testing] General Terms Security, Reliability, Measurement Keywords security metrics, vulnerability discovery models, measuring software security, measuring vulnerabilities ∗This work is sponsored by the I3P under Air Force Contract FA8721-05-0002. Opinions, interpretati...