Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Claims 1-5 are pending in this office action. Claims 6-7 have been cancelled. 
Applicant’s arguments, filed 12/28/2021, have been fully considered but they are not persuasive.

Response to Arguments
Applicant presents arguments regarding the presence or absence of claimed limitations in the prior art. The responses as well as any applicable new grounds of rejection are outlined below.

Applicant argues:
Claim 1 was rejected under 35 U.S.C. § 102 based upon Bach et al., U.S. Patent Publication No. 2017/0180410 ("Bach"). Bach is specifically referring to vulnerability scanning and notification for automated detection and notification. Bach specifically refers to cloud security threat intelligence use-cases. For example, in Paragraph [0080], Bach describes indicates that when a vulnerability is identified, a notification message is sent to the corresponding operator. Bach does not teach or suggest that prior to remediation of the security vulnerability, the security vulnerability is classified as is specified in claim 1. The processing steps described in the paragraphs from Bach that are listed at the top of page 6 of the Office Action are not what a person of skill in the art would recognize as classification as is described and claimed in this application. The claimed invention collates and correlates across multiple parameters to classify and categorize security vulnerabilities. Therefore, independent claim 1 is not anticipated by Bach.
Examiner Response:
Regarding argument (a), examiner respectfully disagrees with applicant. Examiner respectfully points out that the step of classification, as claimed, is just one of the tasks that is performed in the system, and the claim does not require that it be performed in any specific order (prior to, or after categorization). Furthermore, classification of security vulnerabilities is a result that is achieved based on any of the factors such as referencing CVE, software type used, historical data etc. The CVE alone comprises of many different types or classes of vulnerabilities that are referenced, based on which vulnerabilities are differentiated, distinguished or classified. Classification is a broad idea of differentiating or inherently categorizing entities based on one or more factors. The specifications does not provide any specific or limiting definition of vulnerability classification the way it is utilized in the application or in the claim language addressed herein. Furthermore, besides CVE vulnerabilities listing or classification, the steps of determining vulnerabilities and associating with different components (para 0079 - vulnerabilities for server 210 v/s for application 210) imply classification of vulnerability with respect to (or directed to) such Bach as explained above as well as in the rejection.



Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1 is rejected under 35 U.S.C. 102(a)(1), 102(a)(2) as being anticipated by Bach et al. (US 2017/0180410 A1, Bach hereinafter).
For claim 1, Bach teaches a system for organization, identification, classification and remediation of security vulnerabilities in computer applications, the system comprising: a plurality of computing devices, wherein the computing devices are enabled to run computer applications (Fig. 2 element 245; para 0040-0041 - applications on plurality of computing devices/servers); and 
a digital storage mechanism configured with a risk language library, wherein the digital storage mechanism is configured to communicably couple with the plurality of computing devices through wired or wireless means (Fig. 1A, 1B, 2; para 0017, 0029-0030, 0040 - user and/or computing devices are communicatively connected to a storage mechanism comprising various elements associated with various vulnerability management/detection components), and wherein the risk language library is configured to enable organization, identification, classification and remediation of security vulnerabilities in computer applications that run on the plurality of computing devices (para 0040, 0079-0080, 0085-0087 - vulnerability identification, organizing vulnerability information before and after identification, identification of software type or categorizing the vulnerability by software type or historical vulnerability, and vulnerability remediation).




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-3 are rejected under 35 U.S.C. 103 as being unpatentable over Bach et al. (US 2017/0180410 A1, Bach hereinafter), in view of Martinez et al. (US 2014/0137257 A1, Martinez hereinafter), and further in view of Cran et al. (US 11,019.091 B2, Cran hereinafter).
For claim 2, Bach teaches wherein the risk language library further comprises: a metadata module, wherein the metadata module further comprises sub-modules relating to common weakness enumerations (CWEs), related CWEs, name, description, aliases and common vulnerabilities and exposures (CVEs) (para 0040 - CVEs and CWEs for vulnerability listings, including supplemented (related) vulnerability information, and wherein it is well-known that CWE and CVE databases maintained by Mitre have names, description and associated identifiers with the vulnerabilities and weaknesses associated with different elements or components of IT);
a technology module, wherein the technology module further comprises a component module (Fig. 1-2 - many components associated with one or more technology modules of the system);
a features module, the features module further comprises sub-modules relating to features (para 0041-0063 - different system features including software environments associated with software or applications);
a mitigations module, wherein the mitigations module is further sub-categorized, including generic mitigations by stage (para 0080-0089 - remediation or mitigation including suggested remediation for vulnerabilities according to various instances or stages of vulnerabilities); 
a breaches module, wherein the breaches module further comprises sub- modules relating to possible breach in the system (para 0040, 0089-0090 - breach in the system and CWE); and 
a compliance module, wherein the compliance module further comprises sub-modules relating to standard name, standard identification reference and industry applicability (para 0037, 0040, 0042, 0063, 0079-0080, 0083-0084, 0087, 0089-0090 - compliance such as application or patch version update with version number identifier and applicability with respect to the element with respective versions, such as applications/software intended for specific tasks).
Although it is well-known in the art to incorporate tracking of vulnerabilities, breaches and other information associated with security concerns such as vulnerabilities as well as affected areas in the system, Bach does not appear to explicitly disclose, however Martinez discloses CVEs and CWEs employed for vulnerability determination along with associated metadata information stored therewith (para 0113, 0119, 0191), a features module, the features module further comprises sub-modules relating to feature name, feature type, impact and attributes (para 0010, 0048, 0050, 0054, 0056, 0090, 0098, 0152, 0156 - feature or functional purpose of entities in the system including software entities, feature types associated with entities, and the associated impact with attributes or characteristics); 
an examples module, wherein the examples module further comprises a sub-module relating to code, and wherein the code is classified as good code and bad code(para 0193; Table 15 - good and black or blacklisted code/software; see also tables 11-12);
a breaches module, wherein the breaches module further comprises sub- modules relating to name of the breach, attack vectors used by CWE and technique (para 0090, 0191, 0196, 0199, 0207, 0209 - breach or attacks are identified, attack vectors (attack techniques are indicated by the attack type) and vulnerability/weakness associated therewith in reference to CWE).
Although Martinez discloses bug discovery aspects (Tables 15, 18), the combination of Bach and Martinez does not disclose, however Cran discloses a bug bounty activity module, wherein the bug bounty activity module further comprises sub-modules relating to bounty name, company, bounty date, technique and severity (Fig. 6; col. 3 lines 25-35; col. 6 lines 6-17; col. 7 lines 39-67; col. 8 lines 1-61; col. 15 lines 34-59 - bounty program of a known company/organization, along with details on forums which is well known to include description and posted dates etc.). 
Based on Bach in view of Martinez and Cran, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Martinez and Cran in the system of Bach, in order to enhance the Bach’s system by incorporating feature and vulnerability impacts on different feature segments of the system along with tracking of breaches for effective handling of the same in future, thereby achieving more granular control over vulnerabilities and attacks of any system. Also, a very commonly known aspects of incentivized crowd-sourced information may be employed to make the system bug-free based on wider bug-finding coverage, thereby making the system more secure.

For claim 3, Bach in view of Martinez and Cran teaches the claimed subject matter as discussed above. Bach further discloses the system according to claim 2, wherein the technology module further comprises a component module that is sub-categorized based on characteristics including name, CVEs, categories, tools and advisories, and wherein the hardening is further sub-categorized as description, reference and advisory (Fig. 1-2 - many components associated with one or more technology modules of the system; para 0020, 0036, 0040-0063, 0079-0080 - asset types (categories), tools, CVEs separated or handled for vulnerability assessment and having description, references and vulnerability handling advisory such as remediation, wherein CVEs and CWEs are well-known to have CWE and CVE databases maintained by Mitre have names, description and associated identifiers with the vulnerabilities and weaknesses associated with different elements or components of IT).
Bach does not appear to explicitly disclose, however Martinez teaches component sub-categorizing based on payloads, hardening and questions (Fig. 8; para 0022, 0116, 0121, 0123-0124, 0141, 0146-0147, 0151, 0259; Table 7 - identify test areas, test strategies (listed plans or test cases), tests associated with network data flow, configuration hardening, series of questions and training need or assessment).

Claims 4-5 are rejected under 35 U.S.C. 103 as being unpatentable over Bach et al. (US 2017/0180410 A1, Bach hereinafter), in view of Martinez et al. (US 2014/0137257 A1, Martinez hereinafter).
For claim 4, Bach does not appear to explicitly disclose, however Martinez teaches wherein the risk language library is configured for identifying security requirements for software features and identifying coding patterns to protect against vulnerabilities (Martinez - para 0112-0114, 0119 - code segments or patterns with policy violations causing vulnerabilities that are needed to be protected), and 
wherein the risk language library is also configured to enable security testers to identify appropriate security test cases, finding vulnerabilities by identifying specific payloads, creating application security checklists and provide training on application security for application developers (Fig. 8; para 0022, 0116, 0121, 0123-0124, 0141, 0151, 0259; Table 7 - identify test areas, test strategies (listed plans or test cases), tests associated with network data flow, and training need or assessment).
Based on Bach in view of Martinez, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Martinez in the system of Bach, in order to enhance the Bach’s system by incorporating vulnerability area identification techniques such as identifying vulnerable or weaker coding practices, and proactive or reactive test strategies to keep the system more secure.

For claim 5, Bach does not appear to explicitly disclose, however Martinez teaches wherein the risk language library is configured for capturing application vulnerabilities in a database (para 0009, 0050, 0088, 0119; Table 11), linking application security vulnerabilities to features and threat models (para 0049-0050, 0065, 0084-0085, 0141, 0159, 0198-0203, 0237-0239; Table 18 - vulnerabilities associated with assets and asset types which are in turn associated with specific system features or functions, and threat modeling), correlating vulnerabilities with aliases for application security and derive test cases from a vulnerability (0121, 0123-0124, 0141, 0151 - testing plan based on vulnerabilities and testing/prevention of the same). Based on Bach in view of Martinez, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Martinez in the system of Bach, in order to enhance the Bach’s system by incorporating discovering vulnerability associated with different feature segments of the system along with tracking via threat models for effective handling and testing of the vulnerabilities, thereby achieving more security control over vulnerabilities and making the system more robust.


Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433