This paper presents a multi-cycle vulnerability discovery model which shows the vulnerability discovery process and the relationship between the number of vulnerabilities and their release time. The model makes use of a cycle, which expands the scope of old models. A method is proposed to compute the parameters of this model to fit the discover process of the target software. Different rules are also given to find the initial values. Experiments are made on eight Windows operating systems. The results show that this model is more effective and more accurate than current models.