Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on October 23, 2025 has been entered.
Response to Arguments
Applicant's arguments filed January 23, 2026 have been fully considered but they are not persuasive.
In pages 1-3 of the remarks, Applicant states that in independent claims 1, 11, and 20, the claims recite “identifying, from the vulnerability detection, one or more qualification tests to perform on the target system, […] to generate a set of results based on which qualification data qualifying the vulnerability detection is generated” and “determining the qualification data qualifying the vulnerability detection [… which] indicates whether a vulnerability requires remediation”, and that no reference discloses, teaches, or otherwise suggests such a combination to recite the features of the independent claims. Basavapatna (U.S. PGPub 20130191919), hereinafter “Basavapatna-1”, discusses techniques to quantify risk presented by a vulnerability in a computing system, and shows various scores or other metrics that quantify the risk presented by a vulnerability to a computing system, including a standardized vulnerability score, a vulnerability detector score, and other metrics as stated in Basavapatna-1, paragraph [0012]. Applicant states that as Basavapatna-1 contemplates that the vulnerability detection data is generated based on executing tests on an asset, it does not disclose “identifying, from the vulnerability detection, one or more qualification tests to perform on the target system, […] to generate a set of results based on which qualification data qualifying the vulnerability detection is generated”, as the vulnerability detection data of Applicant includes information about a vulnerability and information about whether “any test whose outcome is included in the vulnerability detection data identified the asset as possessing the corresponding vulnerability”. Applicant argues that Basavapatna-1 merely states that “multiple sensors may test for the same vulnerability” but does not state how tests are selected or are executable tests that cause target system to generate a set of results based on qualification data that qualifies the vulnerability detection, and that the rejections for independent claims 1, 11, and 20 be withdrawn.
Examiner disagrees with the Applicant’s arguments regarding the withdrawal of 35 U.S.C. 102 of independent claims 1, 11, and 20 over the prior art of Basavapatna-1. The vulnerability detection data of Basavapatna-1 is stated in paragraph [0034] that, for each asset and threat individually, whether an asset is vulnerable to a threat, shown in Fig. 2. Process 300 in Fig. 3A is performed to determine if an asset possesses a known vulnerability, which is performed by analyzing said vulnerability detection data, which corresponds to execution of one or more qualification tests to show if remediation is required. As a result of Fig. 3A’s process 300 being capable of determining if an outcome included in a vulnerability detection data identifies an asset as possessing a certain vulnerability/threat as stated in Fig. 3A, the prior art of Basavapatna-1 discloses the limitation of “identifying, from the vulnerability detection, one or more qualification tests to perform on the target system, […] to generate a set of results based on which qualification data qualifying the vulnerability detection is generated”. Furthermore, with regards to the Applicant’s argument that Basavapatna-1 does not describe how tests are selected or that tests are executable causing a target system to generate a set of results for which qualification data qualifies a vulnerability detection, Examiner states that in paragraph [0084] of Basavapatna-1, process 300 of Fig. 3 determines whether an asset possessing a known vulnerability by analyzing the vulnerability detection data to determine if an outcome identifies said vulnerability, corresponds to generating a set of results based on qualification data qualifying the vulnerability detection. Support can also be found in paragraph [0062] of Basavapatna-1, where tests in the vulnerability detection data can indicate types including virus scans, system configuration checks, and outcomes of the tests are included, and Fig. 3A’s process 300 determination of a particular vulnerability included in the tests described in paragraph [0084] regarding the relation between an asset and a vulnerability and what steps to perform if vulnerabilities are found or not to determine a vulnerability score. Finally, the limitation of “determining the qualification data qualifying the vulnerability detection [… which] indicates whether a vulnerability requires remediation” is disclosed in paragraph [0084] where process 300 determines if assets contain known vulnerabilities by analyzing vulnerability detection data to determine if an outcome identifies the vulnerability. As a result, Examiner maintains the rejections made under 35 U.S.C. 102 for the independent claims 1, 11, and 20 over Basavapatna-1.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The independent claims recite “identifyinq, from the vulnerability detection, one or more qualification tests to perform on the target system, the one or more qualification tests comprisinq an executable test that, when executed, causes the target system to qenerate a set of results based on which qualification data qualifyinq the vulnerability detection is qenerated”, “determining the qualification data qualifying the vulnerability detection as a vulnerability detection requiring remediation based on executing the one or more qualification tests, wherein the qualification data is based on a configuration of the target system excluded in the vulnerability detection from the vulnerability scanner and indicates whether a vulnerability requires remediation”, and “associating the qualification data with the vulnerability detection”, in which the claim limitations recited amount to processes that can be performed in the mind, and with pen and paper, respectively, and therefore, are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”. This judicial exception is not integrated into a practical application because the recited elements of independent claims 1, 11, and 20 amount to simply implementing the mental processes of ‘identifying […] one or more qualification tests to perform on the target […]’, ‘determining the qualification data [of] the vulnerability detection […]’, and ‘associating the qualification data with the vulnerability detection’, where the data analysis steps are recited at a high level of generality such that they could practically be performed in the human mind, Electric, MPEP 2106.04(a)(2), subsection III, paragraph A, “A Claim With Limitation(s) That Cannot Practically be Performed in the Human Mind Does Not Recite a Mental Process”. Furthermore, claim 11 also reciting a system comprising a processor and a non-transitory computer-readable medium with instructions to be executed by a processor, and claim 20 reciting a non-transitory computer-readable medium. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because “obtaining a vulnerability detection from a vulnerability scanner for a target system” of independent claims 1, 11, and 20 merely amounts to data gathering, as stated in MPEP 2106.05(g), “Insignificant Extra-Solution Activity”.
Dependent claims 2-10, and 12-19 that rely upon independent claims 1, 11, and 20 are rejected for relying upon their respective independent claims. Dependent claims 2-10 depend on independent claim 1, and claims 12-19 depends on claim 11. As independent claims 1, 11, and 20 are rejected under 35 U.S.C. 101, the dependent claims listed are also rejected as well.
Regarding claim 2, the recitation of “performing determining qualification data each time a previously unseen vulnerability detection is obtained from the vulnerability scanner for the target system” is a mental process that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”.
Regarding claim 3, the recitation of “obtaining a plurality of vulnerability detections from a plurality of vulnerability scanners applied against a plurality of target systems residing in a network” merely amounts to data gathering, and therefore, the elements are grouped under data gathering as an insignificant extra-solution activity, as stated in MPEP 2016.05(g), “Insignificant Extra-Solution Activity”.
Regarding claim 4, the recitation of “a provider vulnerability identifier identifying a type of the vulnerability detection”, “a target system identifier identifying a target system against which a vulnerability was detected”, and “a source identifier identifying the vulnerability scanner” are mental processes that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”.
Regarding claim 5, the recitation of “determining configuration data for initializing a vulnerability qualification system identifying:one or more qualification tests, and one or more provider vulnerability identifiers associated with each qualification test”, and “segmenting the plurality of vulnerability detections based on the provider vulnerability identifiers into one or more lists, wherein each of the one or more lists includes one or more vulnerability detections to be qualified using a qualification test identified based on a qualification identifier included in the configuration data” are mental processes that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”.
Regarding claim 6, the recitation of “a qualification identifier identifying a qualification test performed”, and “a qualification test result characterizing the vulnerability detection” are mental processes that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”.
Regarding claim 7, the recitation of “determining a plurality of target systems associated with a same provider vulnerability identifier”, and “performing a same qualification test on each target system in the plurality of target systems” are mental processes that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”.
Regarding claim 8, the recitation of “identifying a qualification test to perform based on matching a provider vulnerability identifier to the qualification test” is a mental process that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”.
Regarding claim 9, the recitation of “wherein the qualification data includes a qualification test result identifying the vulnerability detection as one of requiring remediation or not requiring remediation” is a mental process that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”.
Regarding claim 10, the recitation of “wherein the configuration of a target system includes one or more of: an operating system running on the target system”, “a version of an operating system running on the target system”, “a software application running on the target system”, “a version of an application running on the target system”, “a networking port open on the target system”, and “a networking protocol running on the target system” are mental processes that can be performed in the mind, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”.
Regarding claim 11, the independent claim 11 discloses similar limitations present in independent claim 1 above, and as a result, is also rejected for similar reasons to claim 1 above under 35 U.S.C. 101.
Regarding claim 12, claim 12 discloses similar limitations present in claim 6 above, and as a result, is also rejected for similar reasons to claim 6 above under 35 U.S.C. 101.
Regarding claim 13, the claim discloses similar limitations present in claim 7 above, and as a result, is also rejected for similar reasons to claim 7 above under 35 U.S.C. 101.
Regarding claim 14, the claim discloses similar limitations present in claim 8 above, and as a result, is also rejected for similar reasons to claim 8 above under 35 U.S.C. 101.
Regarding claim 15, the claim discloses similar limitations present in claim 9 above, and as a result, is also rejected for similar reasons to claim 9 above under 35 U.S.C. 101.
Regarding claim 16, the claim discloses similar limitations present in claim 10 above, and as a result, is also rejected for similar reasons to claim 10 above under 35 U.S.C. 101.
Regarding claim 17, the recitation of “storing the qualification data with the vulnerability detection in one or more of a database and a file system” is a mental process that can be performed in the mind with the aid of a computer to store files, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”.
Regarding claim 18, the recitation of “obtaining contact information associated with the target system against which the vulnerability detection was made”, and “transmitting a notification to a contact identified in the contact information, wherein the notification includes the qualification data” merely amounts to data gathering, and therefore, the elements are grouped under data gathering as an insignificant extra-solution activity, as stated in MPEP 2016.05(g), “Insignificant Extra-Solution Activity”.
Regarding claim 19, the recitation of “storing intermediate results from determining qualification data in a qualification log” is a mental process that can be performed in the mind with the aid of a computer to store files, and therefore, the elements are grouped under mental processes, as described in MPEP 2106.04(a)(2), subsection III, “Mental Processes”.
Regarding claim 20, the independent claim 20 discloses similar limitations present in independent claim 1 above, and as a result, is also rejected for similar reasons to claim 1 above under 35 U.S.C. 101.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-16, 18, and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Basavapatna et al. (US 20130191919 A1), hereinafter Basavapatna-1.
Regarding claim 1, Basavapatna-1 discloses ‘a method of qualifying a vulnerability detection for remediation comprising:
obtaining a vulnerability detection from a vulnerability scanner for a target system’ ([0021] Countermeasures are utilized to remove vulnerabilities, such as applying a patch to an application or OS component. [0101] Fig. 3B, block 352, vulnerability score is identified for a vulnerability, with paragraph [0059], Fig. 2,stating that vulnerability detection data 206, can include tests from virus scans for an asset.);
‘identifying, from the vulnerability detection, one or more qualification tests to perform on the target system, the one or more qualification tests comprising an executable test that, when executed, causes the target system to generate a set of results based on which qualification data qualifying the vulnerability detection is generated’ ([0079] Fig. 3A, process 300 can compare data for a given threat to configuration data 207 of Fig. 2 of a given asset to determine whether a given threat is applicable to the respective asset, corresponding to qualification test to perform on a target system which is an executable test. [0059] Outcome of the tests is also shown in vulnerability detection data 206 of Fig. 2, and in [0084], process 300 of Fig. 3 determines whether an asset possessing a known vulnerability by analyzing the vulnerability detection data to determine if an outcome identifies said vulnerability, and “if not, process 300 next analyzes data to determine whether any test identified the asset as not possessing or being related to the vulnerability”, where any identified tests correspond to one or more qualification tests that are identified, and generating a set of results based on qualification data qualifying the vulnerability detection. In particular, block 306 of Fig. 3A determines a risk metric for an asset and a threat from exposure factor and criticality score for the asset, assisting in generating a set of results needed for qualifying vulnerabilities.)
‘determining the qualification data qualifying the vulnerability detection as a vulnerability detection requiring remediation based on executing the one or more qualification tests, wherein the qualification data is based on a configuration of the target system excluded in the vulnerability detection from the vulnerability scanner and indicates whether a vulnerability requires remediation’ ([0034] Fig. 2, Asset configuration data 207 contains both hardware and software configuration, and is separate from vulnerability detection data 206, with configuration data 207 is excluded from vulnerability detection data 205. A countermeasure component score is part of vulnerability detection data 205, derived from the asset configuration data 207. [0034] Fig. 2, vulnerability detection data 206 specifies, for each asset and each threat, and whether an asset is vulnerable to a threat, which is further expanded upon in [0084], process 300 of Fig. 3 determines whether an asset possessing a known vulnerability by analyzing the vulnerability detection data to determine if an outcome identifies said vulnerability, corresponding to execution of one or more qualification tests which shown vulnerability detections showing that remediation is required. Paragraph [0023] states that sensors for detecting vulnerabilities can be host-based or network-based, as shown in Fig. 2. [0034] Vulnerability definition data 205 includes countermeasures that mitigate risk associated with the vulnerabilities, corresponding to a vulnerability detection requiring remediation based on executing the one or more qualification tests. [0071] Fig. 2, reconcilers 216 in network monitor 102 translates data using a corresponding table which maps identifiers used by a specific source to identifiers by a network monitor.);
‘and associating the qualification data with the vulnerability detection’ ([0034] Fig. 2, vulnerability detection data 206 specifies, for each asset and each threat, and whether an asset is vulnerable to a threat. [0071] Fig. 2, reconcilers 216 in network monitor 102 translates data using a corresponding table which maps identifiers used by a specific source to identifiers by a network monitor 102, which can also contain countermeasure detection data 208.).
Regarding claim 2, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘re-performing determining qualification data each time a previously unseen vulnerability detection is obtained from the vulnerability scanner for the target system’ ([0105] Process 350 can determine if a test whose outcome included in vulnerability detection data identified the asset as having a vulnerability. Paragraph [0061] states that vulnerability detection data 206 can contain only a single test, including a test finding an asset vulnerable. When a test indicating a vulnerability for an asset is received, the process of determining qualification data is performed again, and the test and its outcome in vulnerability detection data corresponds to a previously unseen vulnerability detection. Paragraph [0059] states that tests for vulnerabilities can include virus scans, from virus scanners.).
Regarding claim 3, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘wherein obtaining the vulnerability detection from the vulnerability scanner comprises: obtaining a plurality of vulnerability detections from a plurality of vulnerability scanners applied against a plurality of target systems residing in a network’ ([0034] Vulnerability detection data 206 shows which threats were identified, including a plurality of threats. [0058] Data aggregators receive vulnerability detection data from individual sensors in the system. The sensors correspond to vulnerability scanners of the Applicant. [0014] A plurality of assets can be used to determine how many assets are vulnerable to a vulnerability.).
Regarding claim 4, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘wherein each of the plurality of vulnerability detections includes: a provider vulnerability identifier identifying a type of the vulnerability detection’ ([0084] );
‘a target system identifier identifying a target system against which a vulnerability was detected’ ([0034] );
‘and a source identifier identifying the vulnerability scanner’ ([0058] Vulnerability data source(s) 212 are one or more data aggregators, and a data aggregator example is a host-based or network-based sensor, as seen in Fig. 2. Sensors correspond to vulnerability scanners of the Applicant.).
Regarding claim 5, Basavapatna-1 discloses the limitations of claims 1 and 4 as recited above. Basavapatna-1 also discloses the limitation of ‘determining configuration data for initializing a vulnerability qualification system identifying: one or more qualification tests’ ([0079] Fig. 3, process 300 can compare data for a given threat to configuration data 207 of Fig. 2 of a given asset to determine whether a given threat is applicable to the respective asset.);
‘and one or more provider vulnerability identifiers associated with each qualification test’ ([0079] Fig. 3, process 300 can compare data for a given threat to configuration data 207 of Fig. 2 of a given asset to determine whether a given threat is applicable to the respective asset. The comparison corresponds to a provider vulnerability identifier of the Applicant.);
‘and segmenting the plurality of vulnerability detections based on the provider vulnerability identifiers into one or more lists, wherein each of the one or more lists includes one or more vulnerability detections to be qualified using a qualification test identified based on a qualification identifier included in the configuration data’ ([0071] Fig. 2, reconcilers 216 translates the data using a table that maps identifiers used by a specific source to identifiers used by a network monitor 102. This includes vulnerability identifiers to map to a table. Configuration data 207 is also included in the table when data is standardized.).
Regarding claim 6, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘wherein the qualification data includes: a qualification identifier identifying a qualification test performed’ ([0071] Fig. 2, reconcilers 216 in network monitor 102 translates data using a corresponding table which maps identifiers used by a specific source to identifiers by a network monitor 102. The table can include tests run for vulnerability detection data 206, stated in paragraph [0059], and a test can include a virus scan.);
‘and a qualification test result characterizing the vulnerability detection’ ([0059] Outcome of the tests is also shown, corresponds to test results characterizing a vulnerability detection of the Applicant.).
Regarding claim 7, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘wherein determining the qualification data qualifying the vulnerability detection comprises: determining a plurality of target systems associated with a same provider vulnerability identifier’ ([0122] Fig. 4, process 400, block 402. Risk metrics are assessed for multiple assets for a particular vulnerability.);
‘and performing a same qualification test on each target system in the plurality of target systems’ ([0123] Risk metrics for each asset can be calculated, with reference to Fig. 3B, block 358.).
Regarding claim 8, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘wherein determining the qualification data qualifying the vulnerability detection comprises: identifying a qualification test to perform based on matching a provider vulnerability identifier to the qualification test’ ([0079] Fig. 3, process 300 can compare data for a given threat to configuration data 207 of Fig. 2 of a given asset to determine whether a given threat is applicable to the respective asset. The comparison corresponds to a provider vulnerability identifier of the Applicant.).
Regarding claim 9, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘wherein the qualification data includes a qualification test result identifying the vulnerability detection as one of requiring remediation or not requiring remediation’ ([0138] The ranking of threats, vulnerabilities, and threats according to the assets. [0140] Aggregate risk metric for any vulnerability or threat goes above a specified threshold, user should be alerted. Paragraph [0068] states that when an alert is sent to a user, countermeasure source(s) 214 can determine that a sensor is protecting an asset with a particular IP address, to which countermeasure source(s) correspond to requiring or not requiring remediation of the Applicant.).
Regarding claim 10, Basavapatna-1 discloses the limitations of claim 1 as recited above. Basavapatna-1 also discloses the limitation of ‘wherein the configuration of a target system includes one or more of: an operating system running on the target system’ ([0037] Operating systems is part of configurations.),
‘a version of an operating system running on the target system’ ([0037] Operating system version is part of configurations.),
‘a software application running on the target system’ ([0037] Software products are part of configurations.),
‘a version of an application running on the target system’ ([0053] Software products versions are part of configurations.),
‘a networking port open on the target system’ ([0037] Network port settings, including open ports, are part of configurations.),
‘and a networking protocol running on the target system’ ([0067] Networking protocol, including an IP address, is part of configurations.).
Regarding claim 11, Basavapatna-1 discloses the limitations present in independent claim 1 above, and Basavapatna-1 also discloses ‘One or more non-transitory computer-readable media storing instructions that, when executed by one or more processors, cause the one or more processors to perform the steps of:’ ([0141] Computer program instructions in a computer storage medium for execution by a data processing apparatus. [0146] computer-readable media can be on an optical disc, hard disk drives, or other types of media that correspond to a non-transitory storage medium of the Applicant.).
Regarding claim 12, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 also discloses the limitations present in claim 6 above.
Regarding claim 13, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 also discloses the limitations present in claim 7 above.
Regarding claim 14, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 also discloses the limitations present in claim 8 above.
Regarding claim 15, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 also discloses the limitations present in claim 9 above.
Regarding claim 16, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 also discloses the limitations present in claim 10 above.
Regarding claim 18, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 also discloses the limitation of ‘obtaining contact information associated with the target system against which the vulnerability detection was made’ (Paragraph [0068] states that when an alert is sent to a user, countermeasure source(s) 214 can determine that a sensor is protecting an asset with a particular IP address, to which countermeasure source(s) correspond to requiring or not requiring remediation of the Applicant.);
‘and transmitting a notification to a contact identified in the contact information, wherein the notification includes the qualification data’ (Paragraph [0068] states that when an alert is sent to a user, countermeasure source(s) 214 can determine that a sensor is protecting an asset with a particular IP address, to which countermeasure source(s) correspond to requiring or not requiring remediation of the Applicant.).
Regarding claim 20, Basavapatna-1 discloses the limitations present in independent claim 1 above, and Basavapatna-1 discloses ‘A system comprising: a memory storing a qualification module’ ([0013] System can contain a memory element, and a network monitor, where the reconciler can be stored in the network monitor, itself stored in memory, stated in paragraph [0028]. The reconciler corresponds to a qualification module of the Applicant.);
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Basavapatna-1 in view of Basavapatna et al. (US 20130096980 A1), hereinafter Basavapatna-2.
Regarding claim 17, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 does not appear to disclose, but Basavapatna-2 teaches the method of ‘wherein associating the qualification data with the vulnerability detection comprises: storing the qualification data with the vulnerability detection in one or more of a database and a file system’ ([0052] Risk diagnostics can be recorded in assessment records stored in data store 280. Assessment records correspond to a file system, and a data store corresponds to database of the Applicant. Assessments can correspond to qualification data of the Applicant.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Basavapatna-1 and Basavapatna-2 before them, to include Basavapatna-2’s ‘storing the qualification data with the vulnerability detection in one or more of a database and a file system’ in Basavapatna-1’s non-transitory computer-readable media performing ‘obtaining a vulnerability detection from a vulnerability scanner for a target system’. One would have been motivated to make such a combination to increase efficiency by having endpoints in a larger system store data associated with a larger system, including assessments of vulnerabilities, as taught in Basavapatna-2 [0017].
Regarding claim 19, Basavapatna-1 discloses the limitations of claim 11 as recited above. Basavapatna-1 does not appear to disclose, but Basavapatna-2 teaches the method of ‘storing intermediate results from determining qualification data in a qualification log’ ([0052] Risk diagnostics can be recorded in assessment records stored in data store 280. Risk diagnostics correspond to intermediate results from determining qualification data of the Applicant, and assessment records correspond to qualification logs of the Applicant.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Basavapatna-1 and Basavapatna-2 before them, to include Basavapatna-2’s ‘storing intermediate results from determining qualification data in a qualification log’ in Basavapatna-1’s non-transitory computer-readable media performing ‘obtaining a vulnerability detection from a vulnerability scanner for a target system’. One would have been motivated to make such a combination to increase efficiency by having a risk assessment monitor store data of various types, including configuration data, countermeasure detection, and vulnerability detection data, and data stores are utilized to retain information about various endpoints, as taught in Basavapatna-2 [0034].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20230229788 A1 (Pieno et al., “AGENT-BASED VULNERABILITY MANAGEMENT”)
US 8495747 B1 (Nakawatase et al., “Prioritizing Asset Remediations”)
US 10867037 B2 (Griffin et al., “Security Mitigation Action Selection Based On Device Usage”)
US 20250233884 A1 (Sherr Lurie et al., “Exposure and Attack Surface Management Using a Data Fabric”)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TOMMY MARTINEZ whose telephone number is (703)756-5651. The examiner can normally be reached Monday thru Friday 8AM-4PM ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached at (571) 272-7624 on Monday thru Friday, 7AM-7PM ET. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/T.M./ Examiner, Art Unit 2496
/JORGE L ORTIZ CRIADO/ Supervisory Patent Examiner, Art Unit 2496