Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1. This is in response to the arguments filed on 11/17/2021.
2. Claims 1-20 are pending in the application.
3. Claims 1-20 have been rejected.
Response to Arguments
4.	Applicant's arguments with respect to claims 1-20 have been considered but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.  In these claims applicants mention “one or more permissions requested by the browser extension, wherein the one or more permissions are requested from the user device;”, which is generally narrative and indefinite with the invention.  Applicants do not point out clearly which options include in the present invention by these contradicting, and vague terms. Any ordinary skill in the art could not understand what the intent meaning of the claim invention is by using these ambiguous terms of “permissions requested by the browser extension”, “permissions are requested from the user device”. “permissions requested by the browser extension”, “permissions are requested from the user device” could be two different and conflicting concept which is impossible for any ordinary skill in the art would able to interpret. Similarly, examiner fail to understand what is the meets and bounds of the claim limitations by using this two contradictory concepts. Which “permissions requested” should consider as particular to risk score? Therefore, these limitations with these ambiguous terms are indefinite with the present application. The examiner will interpret these terms and limitations with the regarding claims as best understood for applying the appropriate art for rejection purposes. Appropriate correction needs to overcome the rejection. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the 


5.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Gomez (US pat. App. Pub. 20150007330) and in view of Kay et al hereinafter Kay (US pat. App. Pub. 20130247030).    
6.	As per claims 1, 9, and 16, Gomez discloses a computer-implemented method, an apparatus, and a storage media comprising: obtaining, from a user device of a plurality of user devices associated with an organization, to install a browser extension for a browser of the user device; generating, for the browser extension, a risk score that is based on risk values for each of one or more the browser extension (paragraphs: 10, 22-24, and 37, wherein it emphasizes that generating the risk score for browser extension based on risk values for each permitted browser extension); determining whether the browser extension satisfies risk standards of the organization by comparing the risk score to a threshold value for the organization; and in response to determining that the browser extension satisfies the risk standards, automatically adding the browser extension to a whitelist of permitted extensions for approved installation on the plurality of user devices (paragraphs: 11-13, 26-27, and 41-46; wherein it elaborates if the browser extension satisfies the risk standards comparing the risk score to a threshold value then it will be added to the browser extension of permitted list). Although, Gomez mentions risk score for installing the requested browser extension and important of satisfying the risk score to the threshold value for the organization to approval for the browser extension. He does not specifically mention generating, for the browser extension, risk values for each of one or more permissions requested by the browser 
Accordingly, it would been obvious to one of ordinary skill in the network security art before the effective filing date of the claimed invention to have incorporated Kay’s teachings of in response to obtaining the request to install the browser extension, generating, for the browser extension, risk values for each of one or more permissions requested by the browser extension, wherein the one or more permissions are requested from the user device with the teachings of Gomez, for the purpose of effectively installs and protects the browser extension from unauthorized intruders.   
7.	As per claim 2, Gomez discloses the computer-implemented method comprising generating a risk assessment report by: accessing, via an application programming interface, information pertaining to the browser extension from a browser extension 
6.	As per claim 3, Gomez discloses the computer-implemented method wherein the information comprises one or more of: manifest information, permission information, content security policy, and extension metadata (paragraphs: 21, 43, 46). 
7.	As per claim 4, Gomez discloses the computer-implemented method, wherein analyzing the information comprises determining whether the browser extension includes one or more of: a vulnerability in a third-party library, a dangerous function, and a dangerous entry point (paragraphs: 12, 37, and 42). 
8.	As per claim 5, Gomez discloses the computer-implemented method comprising: in response to automatically whitelisting the browser extension, transmitting an instruction to the user device to install the browser extension (paragraphs: 10, 29, 39). 
9.	As per claim 6, Gomez discloses the computer-implemented method wherein the browser includes a gatherer extension, and wherein the gatherer extension obtains the extension identifier from the browser (paragraphs: 26, 31, 36). 
10.	As per claim 7, Gomez discloses the computer-implemented method comprising: determining that an updated version of the browser extension is available; generating, for the updated version of the browser extension, an updated risk score that is based on risk values for each of one or more permissions requested by the updated version of the browser extension; determining whether the updated version of the browser extension satisfies risk standards of the organization by comparing the updated risk score to a threshold value for the organization; and in response to determining that the browser 
11.	As per claim 8, Gomez discloses the computer-implemented method, wherein the request comprises a business justification for installation of the browser extension (paragraphs: 14, 25, and 45). 
12.	 Claims 10-15, and 17-20 are listed all the same elements of claims 2-9. Therefore, the supporting rationales of the rejection to claims 2-9 apply equally as well to claims 10-15, and 17-20. 

Citation of References
13. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action: 
Le et al (US pat. 8365291): discusses determining whether a browser extension leaks information over a network, is provided. A control flow graph (CFG) is generated from a source code included in the browser extension. The CFG is particular to the programming language included in the source code. A sensitive path in the CFG is determined. The sensitive path begins at a sensitive source node and ends at a sensitive end node. A set of tainted variables in the CFG are identified, where each tainted variable stores sensitive information. A subset of tainted variables is generated, where each tainted variable in the subset is included in the sensitive path. When a tainted variable in the subset is included in the sensitive end node it is associated with a leak of sensitive information by the browser extension over the network.
.   
Conclusion

14.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/MOHAMMAD W REZA/Primary Examiner, Art Unit 2436