DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 27 January 2026 has been entered.
By the above submission, Claims 1-7, 9, 12, and 14-20 have been amended. Claim 8 has been canceled. No new claims have been added. Claims 1-7 and 9-20 are currently pending in the present application.
Response to Arguments
Applicant's arguments filed 26 January 2026 have been fully considered but they are not persuasive.
Regarding the objection to Figure 9 as requiring a prior art label, Applicant asserts that Figure 9 is not prior art because the figure illustrates hardware on which non-prior art software and data are stored and processed (pages 10-11 of the present response, citing paragraph 0130 of the present specification). However, the quoted paragraph does not clearly reflect paragraph 0130 as filed. If Applicant intended to refer to paragraph 0123, it is noted that this paragraph states that the system “may execute techniques presented” and “a computer may be configured to execute techniques”; however, these statements are non-limiting, and the Figure does not clearly depict such configuration or execution. The figure only depicts conventional computer components, and the specification only describes the components in conventional terms (see paragraph 0123). Therefore, only that which is old is illustrated.
Regarding the objection to the drawings for informalities, Applicant argues that the split text across multiple sheets in Figures 6A, 6E, and 6F is “internally consistent” and would be understood (page 11 of the present response). However, it is again submitted that the splitting of text makes such text difficult to read, and at the very least, the sheets should be split such that the split is not in the middle of words. See in particular Figure 6A.
Regarding the rejection of Claims 1-20 under 35 U.S.C. 101 as directed to abstract ideas without significantly more, Applicant argues that the claims are directed a practical application of specific, non-generic “data structures and processing rules that improve the way computers reconcile and operationalize heterogenous, time-sequenced vulnerability data” (page 12 of the present response). However, although the claims recite various data structures, these data structures are, in fact, generic and merely recite what data is stored within them, with no particular limitation on how the data are stored in relation to each other. Further, the claims do not recite any processing rules, nor do they explicitly recite any heterogenous, time-sequenced data or reconciliation or operationalizing of such data. Applicant also argues that the claims recite “an inventive concept that is not well-understood, routine, or conventional” (page 12 of the present response); however, this is not the test relating to whether well-understood, routine, conventional activity, which is only limited to “additional elements” beyond the abstract ideas or other judicial exceptions. See MPEP § 2106.05(d).
Applicant further argues that Claim 1 now recites a component including a vulnerability scanner and Claim 17 now recites obtaining scanner data from a vulnerability scanner (pages 12-13 of the present response). However, merely reciting the source of abstract data without providing further detail as to whether the collection of such data is non-generic or unconventional does not clearly provide a practical application or significantly more than the abstract ideas. Similarly, the recitation of other structures such as user devices, IT systems having assets, and a management component at most provide a field of use or technological environment in which to perform the abstract ideas as per MPEP § 2106.05(h) and/or constitute nothing more than mere instructions to implement the abstract ideas on a computer as per MPEP § 2106.05(f). The recitation of certain data structures also does not clearly provide a practical application because they only generically recite what data is stored within them, with no particular limitation on how the data are stored in relation to each other. Applicant further argues that the claims as amended recite generating an alert or report triggered by an indication of a change in vulnerability status and asserts that this is a “time-aware” trend determination “on the fly” (pages 13-14 of the present response). However, being triggered by a change in status does not require a particular response time and does not require processing data “on the fly” as asserted.
Regarding Step 2A, Applicant argues that the claims are directed to a practical application because the provide an improvement of time-aware management of vulnerabilities of IT systems by turning raw data into actionable time-aware signals driving operational response (page 14 of the present response); however, Applicant has not explained where such “time-aware signals” are described in the claims. Applicant argues that various limitations relating to the management component and various data structures impose meaningful non-generic limitations because the claims specifically claim components and steps for achieving the result of detecting vulnerabilities (pages 14-15 of the present response) and asserts that the means for performing the vulnerability detection are a clear advance over merely extracting and analyzing data; however, Applicant has not clearly explained what particular steps perform actions beyond such extraction and analysis. Although Applicant refers to DDR (see page 15 of the present response), Applicant does not provide any explanation for what aspects of the claim are necessarily rooted in computer technology to overcome a problem specifically arising in the realm of computer networks as in DDR, nor has Applicant explained what the problem is asserted to be. Further, although Applicant asserts that the claimed techniques are “tied to specific computer data structures” and control flows beyond collecting, analyzing, and displaying information (pages 15-16 of the present response), it is noted that the data structures recited in the claims as amended are only recited generically as to what data they contain without providing any non-generic structure or relationship between the data in the structures. This is in contrast to Enfish, for example, in which a specific self-referential table for a database was an improvement in existing technology. Although Applicant argues that the claims recite a specific implementation that normalizes scanner outputs into a defined schema, structures analytics to enable delta comparisons across scans, and computes time-aware states with statuses produced via specific field-based comparisons that improve the data processing capabilities (pages 16-17 of the present response), it is noted that none of these details are recited in the claims.
Regarding Step 2B, Applicant argues that the claims recite significantly more than the abstract ideas because of the specific data structures, field-specific comparison logic, cross-scanner normalization, and consequences tied to the computed states that are allegedly recited in the claims as amended (pages 17-18 of the present response). However, the claims do not recite any of differentiating within-asset occurrences of a vulnerability; enabling scan-to-scan deltas; automatic comparisons used in downstream orchestration; determining matches on specific identifiers; longitudinal tracking across heterogeneous scanners; or direct, automated enforcement by downstream actions. Therefore, it is not clear how these alleged features would provide significantly more than the abstract ideas.
Therefore, for the reasons detailed above, the Examiner maintains the rejections as set forth below.
Drawings
The objections to the drawings are NOT withdrawn for the reasons detailed above.
Figure 9 should be designated by a legend such as --Prior Art-- because only that which is old is illustrated. See MPEP § 608.02(g). Corrected drawings in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. The replacement sheet(s) should be labeled “Replacement Sheet” in the page header (as per 37 CFR 1.84(c)) so as not to obstruct any portion of the drawing figures. If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
The drawings are objected to because they include informalities. Figure 6A spans two sheets, and the divisions between the portions of the drawings are not clear and include text that is split in the middle of words across the two sheets, for example. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Specification
The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter. See 37 CFR 1.75(d)(1) and MPEP § 608.01(o). Correction of the following is required: Independent Claims 1 and 17 have been amended to recite “an alert or report triggered by the indication of the change in the vulnerability status”. There is no mention in the specification of how an alert or report is triggered. Independent Claims 1 and 17 have also been amended to recite that a finding data structure includes “a normalized scan timestamp” and “a vulnerability ID mapped to a common identifier space”. Although the specification refers to normalization of data more generally, there is no mention of normalizing timestamps. Further, there is no mention of mapping any vulnerability IDs, nor is there any mention of a common identifier space. Therefore, there is not proper antecedent basis for the claimed subject matter in the specification. For further detail, see below with respect to the rejection under 35 U.S.C. 112(a) for failure to comply with the written description requirement.
Claim Rejections - 35 USC § 101
The rejection of Claim 8 under 35 U.S.C. 101 as directed to abstract ideas is moot in light of the cancellation of the claim. The rejection of Claims 1-7 and 9-20 is NOT withdrawn for the reasons detailed above.
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-7 and 9-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract ideas without significantly more.
Claim 17 recites a method that includes obtaining scanner data and extracting data bits for findings in the scanner data; determining and storing, in a finding data structure, a set of values for each finding; determining and storing, in an analytic data structure, an analytic record for the plurality of findings; determining trend records based on the finding and analytic data structures, where the trend records include a change in vulnerability status; and generating an alert or report to be displayed based on an indication of the change in vulnerability status. The steps of extracting data bits, determining a set of values, determining analytic records, and determining trend records amount to manipulation of data, such that these steps could be performed visually, by hand, or mentally. These constitute mental processes, which constitute one of the groupings of abstract ideas set forth in MPEP § 2106.04(a)(2). Abstract ideas are judicial exceptions as per MPEP § 2106.04(I). See also Alice Corporation Pty. Ltd. v. CLS Bank International, et al, 573 U.S. 208, 110 USPQ2d 1976 (2014).
This judicial exception is not integrated into a practical application because the claim does not recite any practical application or use of the result of the mental processes. The indication of the change in vulnerability status being displayed and/or the step of generating the alert or report constitutes at most necessary output of the abstract mental process, which constitutes insignificant post-solution activity as per MPEP § 2106.05(g), and the intermediate steps of storing the data structures similarly constitute insignificant extra-solution activity. There is nothing in the claim that would result in a particular transformation, as per MPEP § 2106.05(c), nor does the claim require the use of the abstract idea in conjunction with a particular machine or manufacture, as per MPEP § 2106.05(b). The recitation that the method is “computer-implemented” constitutes nothing more than mere instructions to implement the abstract idea on a computer, and the recitation of organization IT systems having assets constitute nothing more than a field of use or technological environment in which to practice the abstract ideas. See MPEP § 2106.05(f) and (h). The step of obtaining scanner data is generic as to the source of the scanner data from a vulnerability scanner constitutes mere data gathering, which is insignificant extra-solution activity as per MPEP § 2106.05(g). The details of the elements of the finding data structure, analytics data structure, and trend data structure only generically recite an arrangement of abstract data without any particular structural relationship between the elements. There are no additional elements that apply or use the abstract idea in a meaningful way beyond merely linking the use of the judicial exception to a particular technological environment. Therefore, the claim is not directed to a practical application of the abstract ideas.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception for similar reasons as detailed above with respect to the question of a practical application of the judicial exception. Although the indication is to be displayed, this is only generically recited in terms of generic computer components. The step of obtaining scanner data constitutes data gathering which could be implemented as retrieving data from memory or receiving data over a network, and the steps of storing the data structures only require storing data in memory in a generic manner. These are generic computer functions that are well-understood, routine, and conventional activity, and therefore these steps do not add significantly more to the abstract idea. See MPEP § 2106.05(d)(II), citing Symantec, TLI, OIP Techs., buySAFE, and Versata. Therefore, Claim 17, as a whole, whether the steps are considered individually or as an ordered combination, is not directed to significantly more than the abstract idea.
Dependent Claims 18-20 recite further specifics of extracting the data or determining values, which are still related to either the abstract steps of mental processes or the conventional activity of data gathering. Therefore, the dependent claims do not clearly provide any additional steps that would result in a practical application of the abstract idea or otherwise amount to significantly more than the abstract ideas recited in independent Claim 17.
Claim 1 is directed to a system having functionality corresponding substantially to the method of Claim 17. This functionality is directed to an abstract idea for similar reasons as detailed above with respect to Claim 17. Although the claim broadly recites a processor and memory, as well as user devices, IT systems, and a management component, these limitations at most require no more than a generic computer to perform generic computer functions or constitute mere instructions to implement the abstract idea on a computer and/or a field of use or technological environment in which the abstract idea is implemented. See MPEP § 2106.05(f) and (h). Therefore, the system of Claim 1 is not directed to significantly more than the abstract ideas themselves. Dependent Claims 2-7 and 9-16 only recite further specifics of extracting the data or performing abstract determinations of data, which are still related to either the abstract steps of mental processes or the conventional activity of data gathering, as discussed above with respect to Claims 18-20, and therefore do not clearly provide any additional steps that would result in a practical application of the abstract idea or otherwise amount to significantly more than the abstract ideas recited in independent Claim 1.
Based upon consideration of all of the relevant factors with respect to the claims as an ordered combination and as a whole, Claims 1-7 and 9-20 are determined to be directed to abstract ideas without a practical application and without significantly more, as detailed above. Therefore, based on the above analysis, the claimed inventions are not directed to patent eligible subject matter.
Claim Rejections - 35 USC § 112
The rejection of Claim 8 under 35 U.S.C. 112(b) as indefinite is moot in light of the cancellation of the claim. The rejection of Claims 1-7 and 9-20 is NOT withdrawn because not all issues have been addressed and/or because the amendments have raised new issues, as detailed below.
The following is a quotation of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1-7 and 9-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Independent Claims 1 and 17 have been amended to recite “an alert or report triggered by the indication of the change in the vulnerability status”. There appears to be no mention in the specification of how an alert or report is triggered. Independent Claims 1 and 17 have also been amended to recite that a finding data structure includes “a normalized scan timestamp” and “a vulnerability ID mapped to a common identifier space”. Although the specification refers to normalization of data more generally, there appears to be no mention of normalizing timestamps. Further, there appears to be no mention of mapping any vulnerability IDs, nor is there any mention of a common identifier space. Additionally, Applicant has not pointed out where the amended claims are supported in the specification. See MPEP § 2163.04. Therefore, there is not clearly sufficient written description of the claimed subject matter in the specification.
Claims not explicitly referred to above are rejected due to their dependence on a rejected base claim.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-7 and 9-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites “the vulnerability management comprising, at least one vulnerability scanner… at least one processor; and at least one memory” in lines 8-12. The use of the comma after “comprising” is grammatically unclear, although it appears that this should be replaced by a colon. The claim further recites “the system is configured to” perform various functions beginning in lines 12-13. It is not clear whether the system or the vulnerability management component is actually configured to perform the functions, or whether the instructions stored by the memory would actually be what configure the processor to perform the functions. The claim additionally recites “the alert or report to be displayed to the one or more user devices” in lines 29-30. It is not grammatically clear how this phrase relates to the remainder of the claim. The above ambiguities render the claim indefinite.
Claim 2 recites “the system is configured to” in lines 2-3. It is not clear whether the system, the management component, or the instructions are what is actually configured.
Claim 3 recites “the system is configured to” in lines 2-3. It is not clear whether the system, the management component, or the instructions are what is actually configured.
Claim 4 recites “the system is configured to” in line 2. It is not clear whether the system, the management component, or the instructions are what is actually configured.
Claim 5 recites “the system is configured to” in line 2. It is not clear whether the system, the management component, or the instructions are what is actually configured.
Claim 6 recites “the finding data is Common Vulnerabilities and Exposures” in lines 3-4. There is not clear agreement between the singular “is” and the plural objects.
Claim 7 recites “the system is configured to” in line 1. It is not clear whether the system, the management component, or the instructions are what is actually configured. The claim further recites “analytic data structure” in line 3; it is not clear whether this is intended to refer to one of the previously recited at least one analytic data structures or an additional structure.
Claim 11 recites “the system is configured to” in line 2. It is not clear whether the system, the management component, or the instructions are what is actually configured.
Claim 12 recites “the system is configured to” in line 2. It is not clear whether the system, the management component, or the instructions are what is actually configured. The claim further recites “the scan key value” in lines 3, 5, and 7; however, the claims previously recited plural scan key values and it is not clear to which of the plural values these limitations are intended to refer.
Claim 13 recites “the system is configured to” in line 3. It is not clear whether the system, the management component, or the instructions are what is actually configured.
Claim 14 recites “the system is configured to” in lines 1-2. It is not clear whether the system, the management component, or the instructions are what is actually configured.
Claim 15 recites “the system is configured to” in lines 1-2. It is not clear whether the system, the management component, or the instructions are what is actually configured. The claim further recites “[a” in line 6, which is grammatically unclear.
Claim 16 recites “the system is configured to” in lines 1-2. It is not clear whether the system, the management component, or the instructions are what is actually configured.
Claim 17 recites “generating an alert or report triggered by the indication of the change in the vulnerability status from the first time period to the second time period to be displayed to one or more user devices” in lines 20-22. It is not grammatically clear what the phrase “to be displayed” is intended to modify or what is actually to be displayed. The above ambiguities render the claim indefinite.
Claim 18 recites “the finding” in line 5. It is not clear to which of the plural findings this is intended to refer.
Claim 19 recites “the set of values, includes” in lines 2-3. The use of the comma is grammatically unclear and should likely be deleted.
Claims not explicitly referred to above are rejected due to their dependence on a rejected base claim.
Allowable Subject Matter
Claims 1-7 and 9-20 would be allowable if rewritten or amended to overcome the rejections under 35 U.S.C. 112(b) and 35 U.S.C. 101 set forth in this Office action.
The following is a statement of reasons for the indication of allowable subject matter: Although the references cited in the previous Office actions generally disclose methods and devices for analyzing trends or historical information relating to vulnerabilities, none of the cited art clearly teaches or suggests, alone or in combination, the detailed elements required by the claimed finding data structure, analytic data structure, and trend data structure, in combination with the other claimed limitations.
It is noted that amendments which change the scope of the claims may require reconsideration of the determination of allowable subject matter.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:00am-5:30pm, Eastern Time.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal D Dharia can be reached at (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Zachary A. Davis/Primary Examiner, Art Unit 2492