Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
2.    NO restrictions warranted at initial time of filing for patent.

Priority
3.    Applicant claims foreign priority under 35 USC 119a-d to Japanese application filed on 03/25/2016.
Information Disclosure Statement
4.    The information disclosure statement (IDS) submitted on 11/20/2020, 04/21/2021, 09/02/2021, the submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Oath/Declaration
5.    Applicant’s Oath was filed on 11/20/2020.

Drawings
6.    Applicant’s drawings filed on 11/20/2020 has been inspected and is in compliance with MPEP 608.01.
Specification
7.    Applicant’s specification filed on 11/20/2020 has been inspected and is in compliance with MPEP 608.02.
Claim Objections
8.    NO objections warranted at initial time of filing for patent.

Remarks
9.	Examiner request Applicant review relevant prior art under the conclusion of this office action.

Double Patenting
10.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. 
Claims 16-31 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-9 of Patented Application no. 10860722. Although the claims at issue are not identical, they are not patentably distinct from each other because both the co-assigned Application claim 16 and co-assigned Patented Application claim 1 are almost the same in scope.


Patent App. No. ‘722 claim 1 and associated claims 2-9
1. A method performed by a terminal, the method comprising: receiving, from a server, vulnerability information concerning vulnerability, including a release date and time, and a method for investigation, before the release date and time, wherein the vulnerability information is received by the server from a vulnerability information distribution system; and investigating the terminal using the method for investigation
1. A security risk management system comprising: a server device; and an agent unit included in a terminal device, wherein the agent unit is executed by central processing unit and is associated with a software vendor; wherein: the server device transmits vulnerability information to the agent unit over a communication network before a release date and time of the vulnerability information, the agent unit investigates presence or absence of vulnerabilities in the terminal device based on information regarding a method for vulnerability investigation contained in the vulnerability information, and transmits vulnerability investigation results containing the investigation results to the server device before the release date and time of the vulnerability information, the server device presents the vulnerability information and the vulnerability 



Therefore, it would have been obvious to one of ordinary skill in the art to modifyinstant Application claims 116 with the additional limitation of so to obtain Patented App ‘722 claim 1 as claimed. 
Allowance of application claim 1 would result in an unjustified time-wiseextension of the monopoly granted for the invention defined by co-pending Applicationclaim 1. Therefore, the provisional obviousness-type double patenting is appropriatebecause the conflicting claims have not in fact been patented. Application claim 16corresponds to co-assigned patented application claim 1. 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.




11.	Claims 16, 17, 20-24, and 27-31 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by U.S. Publication No. 20140373160 hereinafter Sigemoto.


	As per claim 16, Sigemoto discloses:
A method performed by a terminal (Fig. 1, para 0009 “In addressing the foregoing and other problems of the related art and according to one embodiment of the present invention, there is provided a vulnerability countermeasure device for taking countermeasures against the vulnerability of a system configured of multiple computers connected via a network.”), the method comprising: 
receiving, from a server, vulnerability information concerning vulnerability, including a release date and time, and a method for investigation, before the release date and time (para 0081 “FIG. 5 shows an example of the vulnerability information data 209. As shown in FIG. 5, the vulnerability information data 209 includes vulnerability ID's 501, release dates 502, software 503, and versions 504.” Para 0085 “ For purpose of simplification and illustration, the vulnerability information data 209 was shown above to include the release dates 502, software 503, and versions 504. Alternatively, the vulnerability information data 209 may further include information indicating eventual effects of vulnerability, the presence or absence of countermeasure Para 0086 “The service provider checks the vulnerability information disclosure sites 105 periodically and, whenever new vulnerability is disclosed, causes information about the new vulnerability to be reflected in the vulnerability information data 209. As an alternative, the service provider may use suitable tools to automate updating of the vulnerability information data 209.”), 
wherein the vulnerability information is received by the server from a vulnerability information distribution system (Fig. 1, element 105, para 0086 “The service provider checks the vulnerability information disclosure sites 105 periodically and, whenever new vulnerability is disclosed, causes information about the new vulnerability to be reflected in the vulnerability information data 209. As an alternative, the service provider may use suitable tools to automate updating of the vulnerability information data 209.”); 
and investigating the terminal using the method for investigation (para 0087 “The vulnerability information data 209 is used when the assessment program 211 executed by the CPU 203 assesses whether there is a vulnerability in the software installed in servers. Specific processing of the assessment program 211 will be discussed later using FIG. 7.”).  

	As per claim 17, Sigemoto discloses:
para 0083 “The release dates 502 each represent the date on which vulnerability was announced. The software 503 denotes software susceptible to the announced vulnerability. The versions 504 each represent the version of the software susceptible to the vulnerability in question. As an alternative, the versions 504 may hold information saying "before version such-and-such" indicating all versions prior to a particular version.” Para 0084 “ For example, in the vulnerability information with "1" as the vulnerability ID 501, the release data 502 is "2010/11/11/," the software 503 is "Web server program," and the version 504 is "Before 1.0." This indicates that vulnerability was found on Nov. 11, 2011, in the Web server programs of the versions before 1.0.” Also see para 0118-0126).  

As per claim 20, the implementation of the method performed by a terminal of claim 16 will execute the method comprising receiving, from a vulnerability information distribution system, vulnerability information of claim 16. The claim is analyzed with respect to claim 16.

As per claim 21, Sigemoto discloses:
The method according to claim 20, further comprising: displaying the result before the release date and time (para 0083 “The release dates 502 each represent the date on which vulnerability was announced. The software 503 denotes software susceptible to the announced vulnerability. The versions 504  Also see para 0118-0126 and Figs. 14 and 15, para 0217). 

As per claim 22, the implementation of the method of claim 16 will execute the method for a system including a server and a terminal of claim 22. The claim is analyzed with respect to claim 16.

As per claim 23, the implementation of the method of claim 16 will execute the terminal of claim 23. The claim is analyzed with respect to claim 16.

	As per claim 24, the claim is analyzed with respect to claim 17.

As per claim 27, the implementation of the method of claim 22 will execute server of claim 22. The claim is analyzed with respect to claim 22.

As per claim 28, the claim is analyzed with respect to claim 21.

As per claim 26, the claim is analyzed with respect to claim 19.

As per claim 29, the implementation of the method of claim 22 will execute system of claim 29. The claim is analyzed with respect to claim 22.

As per claim 30, the implementation of the method of claim 16 will execute the non-transitory computer readable information recording medium (Sigemoto para 0146 and 0147) of claim 30. The claim is analyzed with respect to claim 16.

As per claim 31, the implementation of the method of claim 22 will execute the non-transitory computer readable information recording medium (Sigemoto para 0146 and 0147) of claim 30. The claim is analyzed with respect to claim 16.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


12.	Claims 18 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Sigemoto in view of U.S. Publication No. 20160241574 hereinafter Kumar.

	As per claim 18, Sigemoto discloses:
The method according to claim 16, further comprising: sending a result of the investigating (Figs. 14 and 15, para 0217) 

	Sigemoto does not disclose:
sending a result of investigating to a server

	Kumar discloses:
sending a result of investigating to a server (para 0040 “The third party endpoint assessment service 117 receives information regarding vulnerabilities, configuration, compliance, and the patch status of different systems and services that exist in the environment. Integrity measurement and verification reports are created after the third party endpoint assessment service 117 has processed the received information. The information is generated in these reports by actively monitoring aspects of the environment from equipment deployed within the environment, or through externally hosted equipment that accesses the environment through controlled conduits such as an open port in the network Para 0041 “The trust broker 103 retrieves reports from the endpoint assessment services 117 and generates temporal events that provide the system event correlator 108 information related to the damage potential of any malicious activity on the device. The temporal information is at least in part based on the reports provided by the endpoint assessment service 117 and provide a snapshot in time of the state of the system while being agnostic to runtime aspects of the system including applications. In one embodiment, the reports are represented in a markup language such as, but not limited to, Extensible Markup Language (XML).” Para 0042 “The trust broker 103 can also be configured to parse, normalize and collate received the reports. In accordance with embodiments, the parsing, normalizing, and/or collating can be based on one or more object identifiers. Exemplary object identifiers can include, but are not limited to, machine hostnames, IP addresses, application names, and package names. This parsing, normalization, and collation (collectively, processing) generates temporal events that annotate the state of the endpoints (devices) at scan time.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the vulnerability 
The motivation would have been to ascertain results of an investigation of vulnerabilities to properly determine the best steps to protect a computing system.

As per claim 25, the claim is analyzed with respect to claim 18.

13.	Claims 19 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Sigemoto in view of U.S. Publication No. 20140082736 hereinafter Guarnieri.

	As per claim 19, Sigemoto discloses:
The method according to claim 16, wherein the vulnerability information (para 0080 and 0085)

	Sigemoto does not disclose:
vulnerability information is encrypted, and the method further comprising: decrypting the encrypted vulnerability information before the investigating is performed.  

Guarnieri discloses:
vulnerability information is encrypted, and the method further comprising: decrypting the encrypted vulnerability information before the investigating is para 0011 “A further method for server security verification is shown that includes scanning a server for one or more vulnerabilities using a scanning module located at the server; generating an encrypted report of server-side security that includes an indication regarding the presence of a vulnerability for each of said one or more vulnerabilities based on the results of said scanning, said encryption being performed using a private key; transmitting the encrypted report to a requesting client; decrypting the encrypted report using a public key; determining a level of server-side security based on the decrypted report using a processor; configuring a scanning module located at the client to increase or diminish scanning of specific vulnerabilities based on the determined level of server-side security; and scanning the server for vulnerabilities using a scanning module located at the client.” para 0013 “A further client security module is shown that includes a report validation module configured to acquire a public key associated with a received report, said received report having been generated at a server and indicating the presence of one or more vulnerabilities at the server, to decrypt the received report using the public key, and to determine a level of server-side security based on the decrypted report; a scanning module configured to scan the server for vulnerabilities based on the received report, wherein the scanning module enhances or diminishes scanning of specific vulnerabilities based on the determined level of server-side security; and a processor configured to reconfigure a browser responsive to the determined level of server-side security and an outcome of the scanning module.”)

The motivation would have been to decrypt results of an investigation of vulnerabilities to properly determine the best steps to protect a computing system.

As per claim 26, the claim is analyzed with respect to claim 19.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
A. U.S. Publication No. 20110119765 discloses on 0026 “One will appreciate that as used herein, vulnerability information may include the name, description, severity rating, security impact summary and remediation instructions for a vulnerability. Vulnerability information may be included in the result information server 151 transmits to mobile communication device 101 or may be stored in data storage 111. Result information may include a list of vulnerabilities that are known to affect mobile communication device 101, a list of potential vulnerabilities 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2491