DETAILED ACTION
1. Pending claims for consideration are claims 1-23. Claims 1-3, 5, 12-13, 15-16, and 18 have been amended. Claims 20-23 are new.
Response to Arguments
2. Applicant's arguments filed 07/10/2025 have been fully considered but they are not persuasive.
In the remarks, applicant argues in substance:
a. That – Waplington, however, does not process any real risk. Rather, Waplington
merely helps recommending software patches and does not create a custom security score for each third-party provider based on their real risk or how risky such third-party providers are to a specific client.
In response to applicants’ argument- It is the combination of Waplington and Sindu that teaches the claimed language, neither Waplington nor Sindu alone. The claims have been examined in their broadest most reasonable interpretation in light of the applicant’s specification. Sindu discloses in its broadest most reasonable interpretation a risk assessment unit for receiving and processing risk score data for generating a predicted risk score value of the vendor, However, figure 6 of Waplington is a flow diagram by which the SM server receives solution data from a third - party vendor and builds relationships between new solutions and existing vulnerabilities , in accordance with aspects of the present disclosure),
b. That – Sindu does not describe vulnerability metrics determined using vulnerability scan data. In fact, Sindu does not even have vulnerability scan data. Rather, Sindu merely describes use of a security questionnaire to gather information regarding the vendor
In response to applicants’ argument- It is the combination of Waplington in view of Sindu that teaches the claimed limitation. According to paragraph 0014 within Sindu’s system is a vendor tiering unit for receiving the vendor related data and for classifying the vendor into one or more classes based on the vendor related data ; a program quality and efficiency analysis unit for receiving the risk score data and for determining an accuracy of the risk score.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
3. Claims 1-19 are rejected under 35 U.S.C. 103 as being unpatentable over Patent No.: US 11,489,861 B2 to Waplington et al(hereafter referenced as Waplington) in view of Pub.No.: US 2022/0405739 A1 to Sindu et al(hereafter referenced as Sindu).
Regarding claim 1, Waplington discloses “a method of controlling security of data belonging to a client and available to a third- party provider”(vulnerability-solution resolution system by third party vendor [Col.2/lines 41-46]) , “the method comprising: receiving vulnerability scan data”(receive third party scan data [Fig.2/item 262]) ; “determining a plurality of vulnerability metrics for the data of the client at the third- party provider using the vulnerability scan data” (VSRS includes a graphical user interface (GUI) that enables a user to exclude particular relationships from consideration when recommending solutions to resolve a vulnerability or when calculating metrics regarding the vulnerability [Col.2/lines 53-57]), “determining a security score of the third-party provider based on the plurality of vulnerability metrics, an impact of the third-party provider on the client (FIG . 6 is a flow diagram of a process by which the SM server receives solution data from a third - party vendor and builds relationships between new solutions and existing vulnerabilities , in accordance with aspects of the present disclosure), and a risk profile of the client”(the VRS system 220 may store a configurable confidence score threshold [Col.15/lines 59-60])
Waplington does not explicitly disclose “and causing a display device to display the security score determined for the third-party provider to control security of the data belonging to the client and available to the third-party provider.”
However, Sindhu in an analogous art discloses “ and causing a display device to display the security score determined for the third-party provider to control security of the data belonging to the client and available to the third-party provider” (a risk assessment unit for receiving and processing risk score data associated with the vendor and for generating a predicted risk score value of the vendor Sindhu[par.0014]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Waplington’s resolution for vulnerabilities identified by third party scanners with Sindhu’s third-party security comprising a risk assessment unit which calculates a risk score in order to provide additional security. One of ordinary skill int the art would have been motivated to combine because Waplington’s VSR system identifies and vulnerabilities, Sindu comprises a risk assessment unit which determines and generates a risk score, and both are from the same field of endeavor.
Regarding claim 2 in view of claim 1, the references combined discloses “wherein receiving the vulnerability scan data comprises parsing vulnerability scan report generated by the third-party provider(receive solution from a third-party vendor that identifies solutions by solution ID and wherein each solution associated with at least one related CVE ID in the solution data Waplington [Fig.6/item 282]), wherein the vulnerability scan report is generated in response a vulnerability scan conducted on at least on component controlled by the third-party provider.” (FIG . 6 is a flow diagram of a process by which the SM server receives solution data from a third - party vendor and builds relationships between new solutions and existing vulnerabilities , in accordance with aspects of the present disclosure),
Regarding claim 3 in view of claim 2, the references combined discloses “ wherein the vulnerability scan is performed for storage locations identified by the third-party provider as storing data belonging to the client.” (The VSRS includes a data scheme that enables information regarding vulnerabilities and solutions to be stored, and enables certain relationships to be automatically generated between these vulnerabilities and solutions Waplington [Col.2/lines 45-50]).
Regarding claim 4 in view of claim 2, the references combined discloses “wherein the plurality of vulnerability metrics is selected based on where the data belonging to the client is stored at the third-party provider” The VSRS includes a data scheme that enables information regarding vulnerabilities and solutions to be stored, and enables certain relationships to be automatically generated between these vulnerabilities and solutions Waplington [Col.2/lines 45-50]).
Regarding claim 5 in view of claim 2, the references combined discloses “wherein receiving the vulnerability scan data comprises accessing a container (i.e. computing system see Waplington [Col4/lines 4-10]) associated with the third-party provider”( vulnerability-solution resolution system by third party vendor Waplington [Col.2/lines 41-46]), “the container comprising an indication of a location where vulnerability scan data related to the data of the client is stored.”(vulnerability-solution resolution system (VSRS) Waplington [Fig.4a]).
Regarding claim 6 in view of claim 5, the references combined discloses “a method according to claim 5, wherein the container is installed inside or outside a network of the third-party provider.”(network environment and service provider cloud infrastructure client instance 102 ( also referred to herein as a client instance 102 ) is associated with ( e.g. , supported and enabled by ) dedicated virtual servers ( e.g. , virtual servers 26A , 263 26C , and 26D ) and dedicated database servers ( e.g. , virtual database servers 104A and 104B ) Waplington [Col.6/lines 55-60]).
Regarding claim 7 in view of claim 1, the references combined discloses “wherein the vulnerability scan data identifies the third-party provider.” ( vulnerability-solution resolution system by third party vendor Waplington [Col.2/lines 41-46])
Regarding claim 8 in view of claim 7, the references combined discloses “further comprising: determining at least one first client of the third-party provider identified in the vulnerability scan data, wherein the plurality of vulnerability metrics are determined for the at least one first client” (configuration management database (CMDB), which tracks information regarding configuration items (CIs) associated with a client Waplington [Col.1/lines 60-63]).
Regarding claim 9 in view of claim 8, the references combined discloses “further comprising: determining at least one further client (client network 12 Waplington [Fig.2]) of the third-party provider identified in the vulnerability scan data(receive third party scan data Waplington [Fig.2/item 262]); determining a plurality of vulnerability metrics for the data of the at least one further client at the third-party provider” VSRS includes a graphical user interface (GUI) that enables a user to exclude particular relationships from consideration when recommending solutions to resolve a vulnerability or when calculating metrics regarding the vulnerability Waplington [Col.2/lines; “and determining a security score for third-party provider with respect to the at least one further client based on the plurality of vulnerability metrics and a risk profile associated with the at least one further client” (ML-based automated exclusion component may generate a confidence score (e.g., a real number having a value between 0 and 1), which may be considered a measurement of how similar a given set of vulnerability and solution detail inputs are to the vulnerability and solution details inputs used during training Waplington [Col.15/lines 52-59]), “wherein the security score for the third-party provider with respect to the at least one further client is different to the security score for the third-party provider with respect to the at least one first client” (a risk assessment unit for receiving and processing risk score data associated with the vendor and for generating a predicted risk score value of the vendor Sindhu[par.0014]).
Regarding claim 10 in view of claim 1, the references combined discloses “wherein determining a security score for the third- party provider comprises: determining a value representing a number of risks in each of a plurality of risk categories based on the risk profile associated with the client and the plurality of vulnerability metrics”(risk assessment unit Sindhu[Fig.1/16]) ; “and determining the security score for the third-party provider based on the determined values, wherein each value represents a number of risks for a risk category in the plurality of risk categories.”(virtual agent to categorize the nature of the work to be performed , recommend preferred third party vendors , and provide initial risk categorization and scoring Sindhu[par.0042]).
Regarding claim 11 in view of claim 10, the references combined discloses “further comprising: determining a graphical representation of the security score based on a threshold to display on the display device”(output devices can also include video displays , graphical displays Sindhu [par.0064]).
Regarding claim 12 in view of claim 1, the references combined discloses “further comprising determining a plurality of third- party providers of the client by analyzing data of the client and storing a correspondence between the client and the plurality of third-party providers in a database” ( vulnerability-solution resolution system by third party vendor Waplington [Col.2/lines 41-46])
Regarding claim 13, Waplington discloses “a system for controlling security of data available to a third-party provider” (vulnerability-solution resolution system by third party vendor [Col.2/lines 41-46]), the system comprising: a processor and memory storing instructions which when executed by the processor cause the third-party provider processor to: provide an access to a location storing vulnerability scan data for a conducted vulnerability scan” (receive third party scan data [Fig.2/item 262]), “the vulnerability scan data comprising a plurality of vulnerability metrics at least one vulnerability detected at the third-party provider” (VSRS includes a graphical user interface (GUI) that enables a user to exclude particular relationships from consideration when recommending solutions to resolve a vulnerability or when calculating metrics regarding the vulnerability [Col.2/lines 53-57]), “determine a security score of the third-party provider based on the plurality of vulnerability metrics, an impact of the third party provider on the client (FIG . 6 is a flow diagram of a process by which the SM server receives solution data from a third - party vendor and builds relationships between new solutions and existing vulnerabilities , in accordance with aspects of the present disclosure), and a risk profile associated with the determined client” (the VRS system 220 may store a configurable confidence score threshold [Col.15/lines 59-60]).
Waplington does not explicitly disclose “access the location storing the vulnerability scan data associated with the third-party provider” receive third party scan data [Fig.2/item 262]); determine a client to which the vulnerability scan data pertains by accessing a database storing a correspondence between the at least one client and the third-party provider; and cause a display device to display the security score determined for the third- party provider.”
However, Sindhu in an analogous art discloses “access the location storing the vulnerability scan data associated with the third-party provider” (a risk assessment unit for receiving and processing risk score data associated with the vendor and for generating a predicted risk score value of the vendor Sindhu[par.0014]) ; “determine a client to which the vulnerability scan data pertains by accessing a database storing a correspondence between the client and the third-party provider; and cause a display device to display the security score determined for the third-party provider.” (a risk assessment unit for receiving and processing risk score data associated with the vendor and for generating a predicted risk score value of the vendor Sindhu[par.0014]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Waplington’s resolution for vulnerabilities identified by third party scanners with Sindhu’s third-party security comprising a risk assessment unit which calculates a risk score in order to provide additional security. One of ordinary skill int the art would have been motivated to combine because Waplington’s VSR system identifies and vulnerabilities, Sindu comprises a risk assessment unit which determines and generates a risk score, and both are from the same field of endeavor.
Regarding claim 14 in view of claim 13, the references combined disclose “wherein determining a security score for the third- party provider comprises: determining a value representing a number of risks in each of a plurality of risk categories based on the risk profile associated with the client for the third-party provider and the plurality of vulnerability metrics(risk assessment unit Sindhu[Fig.1/16] see also vendor profile and associated vendor risk score Sindhu[par.0032]); determining the security score for the third-party provider based on the determined values, wherein each value represents a number of risks for a risk category in the plurality of risk categories; determining a graphical representation of the security score based on a threshold to display of the display device” (the VRS system 220 may store a configurable confidence score threshold Waplington[Col.15/lines 59-60])
Regarding claim 15 in view of claim 13, the references combined disclose “further comprising instructions which when executed by the processor cause the processor to determine a third-party provider involved with data of a client” (VSRS includes a vulnerability response ( VR ) server [Fig.4])
Regarding claim 16, Waplington discloses “a computer readable storage medium for determining security of data belonging to a client and available to a third-party provider, the computer readable storage medium comprises computer readable instructions stored therein, the computer readable instructions being executable by a processor to cause the processor to: receive vulnerability scan data for at least a portion of infrastructure controlled by the third-party provider” (receive third party scan data [Fig.2/item 262]); determine a plurality of vulnerability metrics for the third-party provider from the received vulnerability scan data” (VSRS includes a graphical user interface (GUI) that enables a user to exclude particular relationships from consideration when recommending solutions to resolve a vulnerability or when calculating metrics regarding the vulnerability [Col.2/lines 53-57]).
Waplington does not explicitly disclose “and determine security of the data belonging to the client and available to the third-party provider based on the plurality of vulnerability metrics, an impact of the third-party provider of the client, and a risk profile of the client.”
However, Sindhu discloses “and determine security of the data belonging to the client and available to the third-party provider based on the plurality of vulnerability metrics, an impact of the third-party provider of the client (FIG . 6 is a flow diagram of a process by which the SM server receives solution data from a third - party vendor and builds relationships between new solutions and existing vulnerabilities , in accordance with aspects of the present disclosure) and a risk profile of the client” (a risk assessment unit for receiving and processing risk score data associated with the vendor and for generating a predicted risk score value of the vendor Sindhu[par.0014]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Waplington’s resolution for vulnerabilities identified by third party scanners with Sindhu’s third-party security comprising a risk assessment unit which calculates a risk score in order to provide additional security. One of ordinary skill int the art would have been motivated to combine because Waplington’s VSR system identifies and vulnerabilities, Sindu comprises a risk assessment unit which determines and generates a risk score, and both are from the same field of endeavor.
Regarding claim 17 in view of claim 16, the references combined disclose “wherein a value of at least one of the plurality of vulnerability metrics for the data for the client differs from a value of a corresponding at least one of the plurality of vulnerability metrics for the data for a further client” (VSRS includes a graphical user interface (GUI) that enables a user to exclude particular relationships from consideration when recommending solutions to resolve a vulnerability or when calculating metrics regarding the vulnerability Waplington[Col.2/lines 53-57]); “and wherein a security score for the third-party provider with respect to the further client is different to the security score for the third-party provider with respect to the client.” (the VRS system 220 may store a configurable confidence score threshold Waplington[Col.15/lines 59-60])
Regarding claim 18 in view of claim 16, the references combined disclose “further comprising parsing a vulnerability scan report prepared by the third-party provider, wherein the vulnerability scan report is generated in response a vulnerability scan conducted by the third-party provider on at least one component controlled by the third-party provider” (a risk assessment unit for receiving and processing risk score data associated with the vendor and for generating a predicted risk score value of the vendor Sindhu[par.0014]).
Regarding claim 19 in view of claim 16, the references combined disclose “further comprising instructions for determining a security score for the third-party provider to cause the processor to: determine a value representing a number of risks in each of a plurality of risk categories based on the risk profile associated with the client for the third-party provider and the plurality of vulnerability metrics”(risk assessment unit Sindhu[Fig.1/16]); “determining the security score for the third-party provider based on the determined values; determining a graphical representation of the security score based on a threshold to display of the display device” (output devices can also include video displays , graphical displays Sindhu [par.0064]).
Regarding claim 20 in view of claim 13, the references combined discloses “wherein the vulnerability scan data is based on where the data belonging to the client is stored at the third-party provider” (Waplington [FIG.6] is a flow diagram of a process by which the SM server receives solution data from a third - party vendor and builds relationships between new solutions and existing vulnerabilities , in accordance with aspects of the present disclosure),
Regarding claim 21 in view of claim 16, the references combined discloses “wherein the plurality of vulnerability metrics comprises a vulnerability exploitability metric and a vulnerability impact metric for each vulnerability, wherein determining security of the data comprises: determining a likelihood of a vulnerability based on the vulnerability exploitability metric and the risk profile of the client”(the risk score data 12b can be any type of risk score metrics that are assigned or associated with a selected vendor . The risk score data 12b can be assigned to the vendor automatically by the system based on a set of selected risk score parameters , or can be assigned to the vendor by an assessment analyst . The risk assessment unit 16 receives the risk score data 12b and can then generate , based on the data , a new or updated vendor profile and associated vendor risk score Sindhu Waplington [par.0032]) ; “determining an impact of the vulnerability based on the vulnerability impact metric and the impact of the third-party provider on the client”; and determining a security risk using the risk profile of the client based on the likelihood of the vulnerability and the impact of the vulnerability”(the risk score data 12b can be any type of risk score metrics that are assigned or associated with a selected vendor . The risk score data 12b can be assigned to the vendor automatically by the system based on a set of selected risk score parameters , or can be assigned to the vendor by an assessment analyst . The risk assessment unit 16 receives the risk score data 12b and can then generate , based on the data , a new or updated vendor profile and associated vendor risk score Sindhu Waplington [par.0032]).
Regarding claim 22 in view of claim 1, the references combined disclose “wherein determining a security score of the third- party provider comprises: for each vulnerability in a plurality of vulnerabilities detected in the vulnerability scan data” (a risk assessment unit for receiving and processing risk score data associated with the vendor and for generating a predicted risk score value of the vendor Sindhu[par.0014])., “determining a risk of a vulnerability based on at least one vulnerability metric associated with the vulnerability in the vulnerability scan data” (a risk assessment unit for receiving and processing risk score data associated with the vendor and for generating a predicted risk score value of the vendor Sindhu[par.0014]), “the risk profile of the client, and the impact of the third-party provider on the client; and determining the security score of the third-party provider based on the determined risk for each of the plurality of vulnerabilities.”
Regarding claim 23 om view of claim 1, the references combined disclose “wherein the risk profile comprises a risk assessment matrix, and wherein the impact of the third-party provider on the client depends on sensitivity of data shared by the client with the third-party provider” (the risk score data 12b can be any type of risk score metrics that are assigned or associated with a selected vendor . The risk score data 12b can be assigned to the vendor automatically by the system based on a set of selected risk score parameters , or can be assigned to the vendor by an assessment analyst . The risk assessment unit 16 receives the risk score data 12b and can then generate , based on the data , a new or updated vendor profile and associated vendor risk score Sindhu Waplington [par.0032]).
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached at (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL D ANDERSON/ Examiner, Art Unit 2433
/JEFFREY C PWU/ Supervisory Patent Examiner, Art Unit 2433