Prosecution Insights
Last updated: July 17, 2026
Application No. 18/405,511

VULNERABILITY AND REMEDIATION VALIDATION AUTOMATION

Final Rejection §101§102§103
Filed
Jan 05, 2024
Examiner
MARTINEZ, TOMMY NMN
Art Unit
2496
Tech Center
2400 — Computer Networks
Assignee
Disney Enterprises Inc.
OA Round
4 (Final)
14%
Grant Probability
At Risk
5-6
OA Rounds
0m
Est. Remaining
-6%
With Interview

Examiner Intelligence

Grants only 14% of cases
14%
Career Allowance Rate
1 granted / 7 resolved
-43.7% vs TC avg
Minimal -20% lift
Without
With
+-20.0%
Interview Lift
resolved cases with interview
Typical timeline
2y 4m
Avg Prosecution
24 currently pending
Career history
39
Total Applications
across all art units

Statute-Specific Performance

§103
97.8%
+57.8% vs TC avg
§102
1.4%
-38.6% vs TC avg
§112
0.7%
-39.3% vs TC avg
Black line = Tech Center average estimate • Based on career data from 7 resolved cases

Office Action

§101 §102 §103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant's arguments filed May 7, 2026 have been fully considered but they are not persuasive. In page 1 of the remarks, Applicant states that claims 1-16, 18, and 20 were rejected under 35 U.S.C. § 102(a)(1) as being anticipated by Basavapatna-1 (U.S. 20130191919), and claims 17, and 19 under 35 U.S.C. § 103 as being unpatentable over Basavapatna-1, in view of Basavapatna-2 (U.S. 20130096980). Furthermore, Applicant states that claims 1-20 were rejected under 35 U.S.C. § 101 because the claimed invention is indicated to be directed to an abstract idea without significantly more, and that the independent claims were amended to overcome the 101 rejections, particularly, “executing, via a computer network, the executable test on the target system, causing the target system to generate a set of results based on which qualification data qualifying the vulnerability detection is generated”, and requests that the rejections under 101 for the claims be withdrawn. Examiner disagrees, as the limitation of “executing, via a computer network, the executable test on the target system […]”, while utilizing a computer network to execute a test on a system to determine a set of results from qualification data that highlights a vulnerability detection, is concerned with execution of tests to generate data to determine qualifying detections of a particular vulnerability. This judicial exception is not integrated into a practical application because the limitations above involve the process of executing tests, and generating result data regarding vulnerabilities, constitutes the claim limitations falling within the abstract idea, specifically the category of mental processes and information analysis, with the aid of a computer. See MPEP § 2106.05(a)(II), “IMPROVEMENTS TO ANY OTHER TECHNOLOGY OR TECHNICAL FIELD”. “Merely adding generic computer components to perform the method is not sufficient. Thus, the claim must include more than mere instructions to perform the method on a generic component or machinery to qualify as an improvement to an existing technology”. Furthermore, the aspect of “causing the target system to generate a set of results based on which qualification data qualifying the vulnerability detection is generated”, while reciting a mental process, constitutes data analysis, as stated in 2106.04(a)(2)(III), paragraph A, “A Claim With Limitation(s) That Cannot Practically be Performed in the Human Mind Does Not Recite a Mental Process”, where a claim to “collecting information, analyzing it, and displaying certain results of the collection and analysis,” where the data analysis steps are recited at a high level of generality such that they could practically be performed in the human mind, Electric Power Group v. Alstom, S.A., 830 F.3d 1350, 1353-54, 119 USPQ2d 1739, 1741-42 (Fed. Cir. 2016). In particular, although the qualification tests include an executable test for use on a computer, the generating of a set of results based on the qualification data qualifying the detections can be performed by the human mind, with the aid of a computer, as the claims are broad enough to practically be performed mentally. Claim 1 remains directed to the abstract idea of evaluating information and making a determination based on test results, namely determining whether a vulnerability requires remediation based on executed qualification tests and the resulting data. The additional recitation of “executing, via a computer network, the executable test on the target system, causing the target system to generate a set of results based on which qualification data qualifying the vulnerability detection is generated” does not remove the claim from the abstract idea category. The fact that the claimed steps are performed via a computer network or require a target system does not, by itself, render the claim patent eligible. Merely requiring that an abstract idea be performed using a computer, network, or other generic hardware does not integrate the abstract idea into a practical application. The claim does not recite any specific technological improvement to the computer network, the target system, the vulnerability scanner, or the execution of the test itself. Rather, the recited computer implementation is used as a tool to carry out the abstract process of testing, evaluating, and determining remediation. Applicant’s assertion that the limitation cannot be practically performed in the human mind or with pen and paper is also unavailing. Even if a particular step is not literally performable by a human mind, that fact alone does not establish eligibility where the claim as a whole recites an abstract process implemented on generic computing components. The claim still focuses on obtaining a vulnerability detection, identifying tests, executing those tests, generating results, determining qualification data, and associating that data with the detection. These are steps of data gathering, analysis, and decision-making. The use of a computer network to implement those steps does not change the fundamental character of the claim. Further, the amended limitation merely recites the desired functional result of executing a test and generating results from which qualification data is derived. It does not recite a particular technical mechanism, algorithm, or improvement that meaningfully limits the claim to a practical application. Accordingly, the additional language does not supply significantly more than the abstract idea itself. Therefore, the rejection under 35 U.S.C. § 101 is maintained. In pages 2-3 of the remarks, Applicant has amended claim 1 to recite “[…] qualification data is based on a configuration of the target system excluded in the vulnerability detection from that is not considered by the vulnerability scanner”, and states that the Examiner mapped qualification test to process 300 of Basavapatna-1 comparing data for a given threat to configuration data 207 of a given asset, Office Action (“OA”) page 10. Applicant also claimed that in the OA, “vulnerability detection” data 206 of Basavapatna-1 is separate from configuration data 207. OA page 11. Finally, Applicant states that the Applicant’s “vulnerability scanner” does not consider a configuration of a target system when generating a vulnerability detection, and that the vulnerability detection data 206 is generated by vulnerability data source(s) 212, based on the configuration of the target system, with paragraph [0060] disclosing that the techniques used in the invention of Basavapatna-1 is based at least in part by asset configuration data 207. Applicant requests withdrawal of the 102 rejections for the independent claims. Examiner disagrees with the Applicant, as the limitation of “[…] qualification data is based on a configuration of the target system excluded in the vulnerability detection from that is not considered by the vulnerability scanner” is described in Basavpatna-1 in paragraph in Fig. 3B, in paragraph [0105], Fig. 3B, process 350, where the determination of whether an asset possession a certain vulnerability using vulnerability detection data 206 OR asset configuration data 207, and use of vulnerability detection data 206 only corresponds to qualification based on the configuration of the target system “not considered by” the vulnerability scanner, when the configuration data 207 is not utilized. Process 350 can also be considered as a qualification test, as it focuses on vulnerabilities as a risk metric, rather than process 300 as a threat focus for risk metrics. As a result, claims 1, 11, and 20 remain rejected under 102 in light of the amendments to claim 1 described above. Claims 2-10, and 12-19 also remain rejected based on their respective rejections under 102 and 103. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The independent claims recite “identifyinq, from the vulnerability detection, one or more qualification tests to perform on the target system, the one or more qualification tests comprisinq an executable test that, when executed, causes the target system to qenerate a set of results based on which qualification data qualifyinq the vulnerability detection is qenerated”, “determining the qualification data qualifying the vulnerability detection as a vulnerability detection requiring remediation based on executing the one or more qualification tests, wherein the qualification data is based on a configuration of the target system that is not considered by the vulnerability scanner and indicates whether a vulnerability requires remediation”, and “associating the qualification data with the vulnerability detection”, in which the claim limitations recited amount to processes that can be performed in the mind, and with pen and paper, respectively, and therefore, are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”. Furthermore, the claimed limitation of “executing, via a computer network, the executable test on the target system, causing the target system to generate a set of results based on which qualification data qualifying the vulnerability detection is generated”, while utilizing a computer network to execute a test on a system to determine a set of results from qualification data that highlights a vulnerability detection, is concerned with execution of tests to generate data to determine qualifying detections of a particular vulnerability. The generating of result data regarding vulnerabilities, constitutes the claim limitations falling within the abstract idea, specifically the category of mental processes and information analysis, with the aid of a computer. See MPEP § 2106.05(a)(II), “IMPROVEMENTS TO ANY OTHER TECHNOLOGY OR TECHNICAL FIELD”. “Merely adding generic computer components to perform the method is not sufficient. Thus, the claim must include more than mere instructions to perform the method on a generic component or machinery to qualify as an improvement to an existing technology”. This claim limitation also constitutes data analysis, as stated in 2106.04(a)(2)(III), paragraph A, “A Claim With Limitation(s) That Cannot Practically be Performed in the Human Mind Does Not Recite a Mental Process”, where a claim to “collecting information, analyzing it, and displaying certain results of the collection and analysis,” where the data analysis steps are recited at a high level of generality such that they could practically be performed in the human mind, Electric Power Group v. Alstom, S.A., 830 F.3d 1350, 1353-54, 119 USPQ2d 1739, 1741-42 (Fed. Cir. 2016). This judicial exception is not integrated into a practical application because the recited elements of independent claims 1, 11, and 20 amount to simply implementing the mental processes of ‘identifying […] one or more qualification tests to perform on the target […]’, ‘determining the qualification data [of] the vulnerability detection […]’, and ‘associating the qualification data with the vulnerability detection’, where the data analysis steps are recited at a high level of generality such that they could practically be performed in the human mind, Electric, MPEP 2106.04(a)(2), subsection III, paragraph A, “A Claim With Limitation(s) That Cannot Practically be Performed in the Human Mind Does Not Recite a Mental Process”. Furthermore, claim 11 also reciting a system comprising a processor and a non-transitory computer-readable medium with instructions to be executed by a processor, and claim 20 reciting a non-transitory computer-readable medium. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because “obtaining a vulnerability detection from a vulnerability scanner for a target system” of independent claims 1, 11, and 20 merely amounts to data gathering, as stated in MPEP 2106.05(g), “Insignificant Extra-Solution Activity”. Dependent claims 2-10, and 12-19 that rely upon independent claims 1, 11, and 20 are rejected for relying upon their respective independent claims. Dependent claims 2-10 depend on independent claim 1, and claims 12-19 depends on claim 11. As independent claims 1, 11, and 20 are rejected under 35 U.S.C. 101, the dependent claims listed are also rejected as well. Regarding claim 2, the recitation of “performing determining qualification data each time a previously unseen vulnerability detection is obtained from the vulnerability scanner for the target system” is a mental process that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”. Regarding claim 3, the recitation of “obtaining a plurality of vulnerability detections from a plurality of vulnerability scanners applied against a plurality of target systems residing in a network” merely amounts to data gathering, and therefore, the elements are grouped under data gathering as an insignificant extra-solution activity, as stated in MPEP 2016.05(g), “Insignificant Extra-Solution Activity”. Regarding claim 4, the recitation of “a provider vulnerability identifier identifying a type of the vulnerability detection”, “a target system identifier identifying a target system against which a vulnerability was detected”, and “a source identifier identifying the vulnerability scanner” are mental processes that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”. Regarding claim 5, the recitation of “determining configuration data for initializing a vulnerability qualification system identifying: one or more qualification tests, and one or more provider vulnerability identifiers associated with each qualification test”, and “segmenting the plurality of vulnerability detections based on the provider vulnerability identifiers into one or more lists, wherein each of the one or more lists includes one or more vulnerability detections to be qualified using a qualification test identified based on a qualification identifier included in the configuration data” are mental processes that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”. Regarding claim 6, the recitation of “a qualification identifier identifying a qualification test performed”, and “a qualification test result characterizing the vulnerability detection” are mental processes that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”. Regarding claim 7, the recitation of “determining a plurality of target systems associated with a same provider vulnerability identifier”, and “performing a same qualification test on each target system in the plurality of target systems” are mental processes that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”. Regarding claim 8, the recitation of “identifying a qualification test to perform based on matching a provider vulnerability identifier to the qualification test” is a mental process that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”. Regarding claim 9, the recitation of “wherein the qualification data includes a qualification test result identifying the vulnerability detection as one of requiring remediation or not requiring remediation” is a mental process that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”. Regarding claim 10, the recitation of “wherein the configuration of a target system includes one or more of: an operating system running on the target system”, “a version of an operating system running on the target system”, “a software application running on the target system”, “a version of an application running on the target system”, “a networking port open on the target system”, and “a networking protocol running on the target system” are mental processes that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”. Regarding claim 11, the independent claim 11 discloses similar limitations present in independent claim 1 above, and as a result, is also rejected for similar reasons to claim 1 above under 35 U.S.C. 101. Regarding claim 12, claim 12 discloses similar limitations present in claim 6 above, and as a result, is also rejected for similar reasons to claim 6 above under 35 U.S.C. 101. Regarding claim 13, the claim discloses similar limitations present in claim 7 above, and as a result, is also rejected for similar reasons to claim 7 above under 35 U.S.C. 101. Regarding claim 14, the claim discloses similar limitations present in claim 8 above, and as a result, is also rejected for similar reasons to claim 8 above under 35 U.S.C. 101. Regarding claim 15, the claim discloses similar limitations present in claim 9 above, and as a result, is also rejected for similar reasons to claim 9 above under 35 U.S.C. 101. Regarding claim 16, the claim discloses similar limitations present in claim 10 above, and as a result, is also rejected for similar reasons to claim 10 above under 35 U.S.C. 101. Regarding claim 17, the recitation of “storing the qualification data with the vulnerability detection in one or more of a database and a file system” is a mental process that can be performed in the mind with the aid of a computer to store files, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”. Regarding claim 18, the recitation of “obtaining contact information associated with the target system against which the vulnerability detection was made”, and “transmitting a notification to a contact identified in the contact information, wherein the notification includes the qualification data” merely amounts to data gathering, and therefore, the elements are grouped under data gathering as an insignificant extra-solution activity, as stated in MPEP 2016.05(g), “Insignificant Extra-Solution Activity”. Regarding claim 19, the recitation of “storing intermediate results from determining qualification data in a qualification log” is a mental process that can be performed in the mind with the aid of a computer to store files, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”. Regarding claim 20, the independent claim 20 discloses similar limitations present in independent claim 1 above, and as a result, is also rejected for similar reasons to claim 1 above under 35 U.S.C. 101. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-16, 18, and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Basavapatna et al. (US 20130191919 A1), hereinafter Basavapatna-1. Regarding claim 1, Basavapatna-1 discloses ‘a method of qualifying a vulnerability detection for remediation comprising: obtaining a vulnerability detection from a vulnerability scanner for a target system’ ([0021] Countermeasures are utilized to remove vulnerabilities, such as applying a patch to an application or OS component. [0101] Fig. 3B, block 352, vulnerability score is identified for a vulnerability, with paragraph [0059], Fig. 2, stating that vulnerability detection data 206, can include tests from virus scans for an asset.); “identifying, from the vulnerability detection, one or more qualification tests to perform on the target system, the one or more qualification tests comprising an executable test” ([0079] Fig. 3A, process 300 can compare data for a given threat to configuration data 207 of Fig. 2 of a given asset to determine whether a given threat is applicable to the respective asset, corresponding to qualification test to perform on a target system which is an executable test. [0059] Outcome of the tests is also shown in vulnerability detection data 206 of Fig. 2.); “executing, via a computer network, the executable test on the target system, causing the target system to generate a set of results based on which qualification data qualifying the vulnerability detection is generated” ([0084] Process 300 of Fig. 3 determines whether an asset possessing a known vulnerability by analyzing the vulnerability detection data to determine if an outcome identifies said vulnerability, and “if not, process 300 next analyzes data to determine whether any test identified the asset as not possessing or being related to the vulnerability”, where any identified tests correspond to one or more qualification tests that are identified, and generating a set of results based on qualification data qualifying the vulnerability detection. In particular, block 306 of Fig. 3A determines a risk metric for an asset and a threat from exposure factor and criticality score for the asset, assisting in generating a set of results needed for qualifying vulnerabilities.); ‘determining the qualification data qualifying the vulnerability detection as a vulnerability detection requiring remediation based on executing the one or more qualification tests, wherein the qualification data is based on a configuration of the target system that is not considered by the vulnerability scanner and indicates whether a vulnerability requires remediation’ ([0034] Fig. 2, Asset configuration data 207 contains both hardware and software configuration, and is separate from vulnerability detection data 206, with configuration data 207 is excluded from vulnerability detection data 205, and furthermore, in paragraph [0105], Fig. 3B, process 350, where the determination of whether an asset possession a certain vulnerability using vulnerability detection data 206 OR asset configuration data 207, and use of vulnerability detection data 206 only corresponds to qualification based on the configuration of the target system “not considered by” the vulnerability scanner, when the configuration data 207 is not utilized. [0034] Fig. 2, vulnerability detection data 206 specifies, for each asset and each threat, and whether an asset is vulnerable to a threat, which is further expanded upon in [0084], process 300 of Fig. 3 determines whether an asset possessing a known vulnerability by analyzing the vulnerability detection data to determine if an outcome identifies said vulnerability, corresponding to execution of one or more qualification tests which shown vulnerability detections showing that remediation is required. Paragraph [0023] states that sensors for detecting vulnerabilities can be host-based or network-based, as shown in Fig. 2. [0034] Vulnerability definition data 205 includes countermeasures that mitigate risk associated with the vulnerabilities, corresponding to a vulnerability detection requiring remediation based on executing the one or more qualification tests. [0071] Fig. 2, reconcilers 216 in network monitor 102 translates data using a corresponding table which maps identifiers used by a specific source to identifiers by a network monitor.); ‘and associating the qualification data with the vulnerability detection’ ([0034] Fig. 2, vulnerability detection data 206 specifies, for each asset and each threat, and whether an asset is vulnerable to a threat. [0071] Fig. 2, reconcilers 216 in network monitor 102 translates data using a corresponding table which maps identifiers used by a specific source to identifiers by a network monitor 102, which can also contain countermeasure detection data 208.). Regarding claim 2, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘re-performing determining qualification data each time a previously unseen vulnerability detection is obtained from the vulnerability scanner for the target system’ ([0105] Process 350 can determine if a test whose outcome included in vulnerability detection data identified the asset as having a vulnerability. Paragraph [0061] states that vulnerability detection data 206 can contain only a single test, including a test finding an asset vulnerable. When a test indicating a vulnerability for an asset is received, the process of determining qualification data is performed again, and the test and its outcome in vulnerability detection data corresponds to a previously unseen vulnerability detection. Paragraph [0059] states that tests for vulnerabilities can include virus scans, from virus scanners.). Regarding claim 3, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘wherein obtaining the vulnerability detection from the vulnerability scanner comprises: obtaining a plurality of vulnerability detections from a plurality of vulnerability scanners applied against a plurality of target systems residing in a network’ ([0034] Vulnerability detection data 206 shows which threats were identified, including a plurality of threats. [0058] Data aggregators receive vulnerability detection data from individual sensors in the system. The sensors correspond to vulnerability scanners of the Applicant. [0014] A plurality of assets can be used to determine how many assets are vulnerable to a vulnerability.). Regarding claim 4, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘wherein each of the plurality of vulnerability detections includes: a provider vulnerability identifier identifying a type of the vulnerability detection’ ([0084] ); ‘a target system identifier identifying a target system against which a vulnerability was detected’ ([0034] ); ‘and a source identifier identifying the vulnerability scanner’ ([0058] Vulnerability data source(s) 212 are one or more data aggregators, and a data aggregator example is a host-based or network-based sensor, as seen in Fig. 2. Sensors correspond to vulnerability scanners of the Applicant.). Regarding claim 5, Basavapatna-1 discloses the limitations of claims 1 and 4 as recited above. Basavapatna-1 also discloses the limitation of ‘determining configuration data for initializing a vulnerability qualification system identifying: one or more qualification tests’ ([0079] Fig. 3, process 300 can compare data for a given threat to configuration data 207 of Fig. 2 of a given asset to determine whether a given threat is applicable to the respective asset.); ‘and one or more provider vulnerability identifiers associated with each qualification test’ ([0079] Fig. 3, process 300 can compare data for a given threat to configuration data 207 of Fig. 2 of a given asset to determine whether a given threat is applicable to the respective asset. The comparison corresponds to a provider vulnerability identifier of the Applicant.); ‘and segmenting the plurality of vulnerability detections based on the provider vulnerability identifiers into one or more lists, wherein each of the one or more lists includes one or more vulnerability detections to be qualified using a qualification test identified based on a qualification identifier included in the configuration data’ ([0071] Fig. 2, reconcilers 216 translates the data using a table that maps identifiers used by a specific source to identifiers used by a network monitor 102. This includes vulnerability identifiers to map to a table. Configuration data 207 is also included in the table when data is standardized.). Regarding claim 6, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘wherein the qualification data includes: a qualification identifier identifying a qualification test performed’ ([0071] Fig. 2, reconcilers 216 in network monitor 102 translates data using a corresponding table which maps identifiers used by a specific source to identifiers by a network monitor 102. The table can include tests run for vulnerability detection data 206, stated in paragraph [0059], and a test can include a virus scan.); ‘and a qualification test result characterizing the vulnerability detection’ ([0059] Outcome of the tests is also shown, corresponds to test results characterizing a vulnerability detection of the Applicant.). Regarding claim 7, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘wherein determining the qualification data qualifying the vulnerability detection comprises: determining a plurality of target systems associated with a same provider vulnerability identifier’ ([0122] Fig. 4, process 400, block 402. Risk metrics are assessed for multiple assets for a particular vulnerability.); ‘and performing a same qualification test on each target system in the plurality of target systems’ ([0123] Risk metrics for each asset can be calculated, with reference to Fig. 3B, block 358.). Regarding claim 8, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘wherein determining the qualification data qualifying the vulnerability detection comprises: identifying a qualification test to perform based on matching a provider vulnerability identifier to the qualification test’ ([0079] Fig. 3, process 300 can compare data for a given threat to configuration data 207 of Fig. 2 of a given asset to determine whether a given threat is applicable to the respective asset. The comparison corresponds to a provider vulnerability identifier of the Applicant.). Regarding claim 9, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘wherein the qualification data includes a qualification test result identifying the vulnerability detection as one of requiring remediation or not requiring remediation’ ([0138] The ranking of threats, vulnerabilities, and threats according to the assets. [0140] Aggregate risk metric for any vulnerability or threat goes above a specified threshold, user should be alerted. Paragraph [0068] states that when an alert is sent to a user, countermeasure source(s) 214 can determine that a sensor is protecting an asset with a particular IP address, to which countermeasure source(s) correspond to requiring or not requiring remediation of the Applicant.). Regarding claim 10, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘wherein the configuration of a target system includes one or more of: an operating system running on the target system’ ([0037] Operating systems is part of configurations.), ‘a version of an operating system running on the target system’ ([0037] Operating system version is part of configurations.), ‘a software application running on the target system’ ([0037] Software products are part of configurations.), ‘a version of an application running on the target system’ ([0053] Software products versions are part of configurations.), ‘a networking port open on the target system’ ([0037] Network port settings, including open ports, are part of configurations.), ‘and a networking protocol running on the target system’ ([0067] Networking protocol, including an IP address, is part of configurations.). Regarding claim 11, Basavapatna-1 discloses the limitations present in independent claim 1 above, and Basavapatna-1 also discloses ‘One or more non-transitory computer-readable media storing instructions that, when executed by one or more processors, cause the one or more processors to perform the steps of:’ ([0141] Computer program instructions in a computer storage medium for execution by a data processing apparatus. [0146] computer-readable media can be on an optical disc, hard disk drives, or other types of media that correspond to a non-transitory storage medium of the Applicant.). Regarding claim 12, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 also discloses the limitations present in claim 6 above. Regarding claim 13, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 also discloses the limitations present in claim 7 above. Regarding claim 14, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 also discloses the limitations present in claim 8 above. Regarding claim 15, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 also discloses the limitations present in claim 9 above. Regarding claim 16, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 also discloses the limitations present in claim 10 above. Regarding claim 18, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 also discloses the limitation of ‘obtaining contact information associated with the target system against which the vulnerability detection was made’ (Paragraph [0068] states that when an alert is sent to a user, countermeasure source(s) 214 can determine that a sensor is protecting an asset with a particular IP address, to which countermeasure source(s) correspond to requiring or not requiring remediation of the Applicant.); ‘and transmitting a notification to a contact identified in the contact information, wherein the notification includes the qualification data’ (Paragraph [0068] states that when an alert is sent to a user, countermeasure source(s) 214 can determine that a sensor is protecting an asset with a particular IP address, to which countermeasure source(s) correspond to requiring or not requiring remediation of the Applicant.). Regarding claim 20, Basavapatna-1 discloses the limitations present in independent claim 1 above, and Basavapatna-1 discloses ‘A system comprising: a memory storing a qualification module’ ([0013] System can contain a memory element, and a network monitor, where the reconciler can be stored in the network monitor, itself stored in memory, stated in paragraph [0028]. The reconciler corresponds to a qualification module of the Applicant.); Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Basavapatna-1 in view of Basavapatna et al. (US 20130096980 A1), hereinafter Basavapatna-2. Regarding claim 17, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 does not appear to disclose, but Basavapatna-2 teaches the method of ‘wherein associating the qualification data with the vulnerability detection comprises: storing the qualification data with the vulnerability detection in one or more of a database and a file system’ ([0052] Risk diagnostics can be recorded in assessment records stored in data store 280. Assessment records correspond to a file system, and a data store corresponds to database of the Applicant. Assessments can correspond to qualification data of the Applicant.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Basavapatna-1 and Basavapatna-2 before them, to include Basavapatna-2’s ‘storing the qualification data with the vulnerability detection in one or more of a database and a file system’ in Basavapatna-1’s non-transitory computer-readable media performing ‘obtaining a vulnerability detection from a vulnerability scanner for a target system’. One would have been motivated to make such a combination to increase efficiency by having endpoints in a larger system store data associated with a larger system, including assessments of vulnerabilities, as taught in Basavapatna-2 [0017]. Regarding claim 19, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 does not appear to disclose, but Basavapatna-2 teaches the method of ‘storing intermediate results from determining qualification data in a qualification log’ ([0052] Risk diagnostics can be recorded in assessment records stored in data store 280. Risk diagnostics correspond to intermediate results from determining qualification data of the Applicant, and assessment records correspond to qualification logs of the Applicant.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Basavapatna-1 and Basavapatna-2 before them, to include Basavapatna-2’s ‘storing intermediate results from determining qualification data in a qualification log’ in Basavapatna-1’s non-transitory computer-readable media performing ‘obtaining a vulnerability detection from a vulnerability scanner for a target system’. One would have been motivated to make such a combination to increase efficiency by having a risk assessment monitor store data of various types, including configuration data, countermeasure detection, and vulnerability detection data, and data stores are utilized to retain information about various endpoints, as taught in Basavapatna-2 [0034]. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to TOMMY MARTINEZ whose telephone number is (703)756-5651. The examiner can normally be reached Monday thru Friday 8AM-4PM ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached at (571) 272-7624 on Monday thru Friday, 7AM-7PM ET. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /T.M./Examiner, Art Unit 2496 /JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496
Read full office action

Prosecution Timeline

Show 2 earlier events
Oct 02, 2025
Response Filed
Oct 23, 2025
Final Rejection mailed — §101, §102, §103
Dec 11, 2025
Response after Non-Final Action
Jan 23, 2026
Request for Continued Examination
Jan 29, 2026
Response after Non-Final Action
Feb 10, 2026
Non-Final Rejection mailed — §101, §102, §103
May 07, 2026
Response Filed
May 28, 2026
Final Rejection mailed — §101, §102, §103 (current)

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
14%
Grant Probability
-6%
With Interview (-20.0%)
2y 4m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 7 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month