The invention belongs to the field of software safety and relates to a method for detecting security bugs of a software system. The method comprises the following steps of: abstracting a fundamental structure of the security bugs and formalizing the fundamental structure by a great amount of research on the security bugs; constructing a database of security bugs, which is used for verification based on the formalized security bugs; formalizing various products in the process during a process of software development by using an extended Z language to form a piece of Z specification; and finally, automatically detecting the security bugs of the Z specification based on the verifiable database of the security bugs. The method can realize automatic detection of the security bugs during the process of the software development, so that the security of the software is improved.