Description: The article describes the development of vulnerability of IT-products in accordance with the concept of standards ISO15408 «Common Criteria» and ISO18045 «Common methodology». The series standards ISO15408 and ISO61508 (functional safety and information security) are compared in context of Markovian chain-based safety and security assessment. The model of vulnerability development has been added by zero-day ones, which are not described in the standards. 7 possible options for the event on the development of vulnerability are described, and 20 models in the form of pathological chains are suggested. The tasks of weighing for transitions in pathological chains are considered basing on the standard ISO18045.
Keywords: vulnerability of IT-products, exploit, patch, pathological chain