Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 23 March 2022 has been entered.
Response to Arguments
Regarding the 35 USC 103 rejection, Examiner has fully considered the remarks filed 03/23/2022.
Regarding Applicant’s assertion of “Specifically, the instant timer is restarted once a request for more information is submitted/sent to said researcher by the instant platform. In contrast, the Examiner-applied prior art passages rejecting these limitations, including paragraph [0030], [0030-0042, 0050- 150052] or any other teachings of Rogers on pages 7-8 of the office action are only concerned with either showing a clock to a customer about when an issue is submitted, or restarting the timer for the escalation of a dispute. On the other hand, the instant timer of limitations (f) and (e) of claims 1 and 11 respectively, is specifically restarted once more information is requested from the researcher about the  vulnerability/issue  based  on  an   instant  customer examination. See Fig. 3, specifically box/step 314 and associated explanation. The dispute/issue escalation of Rogers has nothing to do with the above-referenced, taught and claimed capability of restarting the timer for requesting more information of the present design.,” Examiner respectfully disagrees. The base invention Kaplan teaches requesting additional information for a vulnerability issue based on customer evaluation of a bug bounty submission. The inquiry for additional information of Kaplan is modified by the timer of the Rogers reference in order to teach the cited limitation. Therefore, Rogers is not being utilized to teach receiving more information about the dispute, as the base reference Kaplan already teaches this limitation. Even assuming arguendo, in at least [0041] of Rogers, the reference discloses that a customer can dispute with the findings of a service provider. This dispute and associated escalation allows the system to restart a timer to track the amount of time the disputed item is in the new state. Both of these references teach disputing the findings of a service provider. Kaplan, as modified by the timer of Rogers, teaches all the limitations of the claim. 
Regarding Applicant’s assertion of “Roger's dispute escalation and restarting of the timer for resollving the dispute by its service provider is not equivalent to restarting of the instant timer when more information is requested from the researcher. Dispute escalation would simply mean that the priority or the urgency of the dispute be elevated so that the service provider can more e quickly/attentively resolve it, and which will not result in any new/additional or more information about the dispute. Resolving a dispute does not add more information to the dispute. This is fundamentally different from explicitly requesting additional details or more information to a vulnenerability that has already been reported, and which by definition will result in more information from the researcher,” Examiner respectfully disagrees. The base invention of Kaplan discloses requesting additional information based on a bug bounty submission. The inquiry for additional information of Kaplan is modified by the timer of the Rogers reference in order to teach the cited limitation. Therefore, Rogers is not being utilized to teach receiving more information about the dispute, as the base reference Kaplan already teaches this limitation. Even assuming arguendo, in at least [0051] of Rogers, it can be seen that the service provider responds to the customer’s inquiry for additional information by either determining that the customer is correct in submitting the dispute or determining that the customer is incorrect. Additionally, paragraph [0051] further discloses that the service provider can provide feedback to the customer including adjustment information or order information.
Regarding Applicant’s assertion of “A person of ordinary skill in the art (POSA) with access to Rogers would not arrive at restarting a timer once a customer examination reveals that more information is required from the researcher. Instead, the POSA would simply escalate the issue to be resolved by Rogers' service provider. As noted above, Roger's escalation will not result in any new or more information at all. Instead, in the present design a request for more information and restarting of timer as specified in limitations (f)/(e) of claims 1//11 will cause the researcher to provide more details    and    additional    information    about    the vulnerability/issue being reported, per box 318 of Fig. 3 and associated  explanation. Roger's   dispute  escalation  and restarting of the timer or merely showing a clock has nothing to do with requesting more information from the researcher and restarting the timer.,” Examiner respectfully disagrees. The base invention of Kaplan discloses requesting additional information based on a bug bounty submission. The inquiry for additional information of Kaplan is modified by the timer of the Rogers reference in order to teach the cited limitation. Therefore, Rogers is not being utilized to teach receiving more information about the dispute, as the base reference Kaplan already teaches this limitation. Even assuming arguendo, in at least [0051] of Rogers, it can be seen that the service provider provides feedback to the customer including adjustment information or order information.
Regarding Applicant’s assertion  of “Furthermore, based on the guidance of the above-referenced interviews, the applicant has also amended limitations (d) and (c) of independent claims 1 and 11 respectively to recite that the matching of the supervisors to the bug bounty programs is performed by machine learning. Such a capability affords the instant platform its automation capabilities. See page 16, line 20 through page 17, line 8 of the instant specification for support. No such, machine learning based skills matching capability is taught or implied by the Examiner-applied paragraph [0393] or any other teaching of Cooner or any other prior art of record,” Examiner has updated the grounds of rejection and is no longer relying on Cooner. Therefore, Applicant’s assertions in view of Cooner are moot. 
Accordingly, the present claims are rejected under 35 USC 103.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 7-8, 10-11, and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Kaplan et al. (US 10915636 B1) in view of Rogers (US 20080162368 A1) in view of Gupta et al. (US 20190102723 A1) in view of Bhaskaran et al. (US 20180365628 A1).

Regarding claim 1, Kaplan teaches a computer-implemented method for improving a computer system  (Col 4 lines 8-16 teach a service provider having a contractual relationship with a third party owner of a computer system and having a separate contractual relationship with a plurality of computer security researchers), said method comprising the steps of: 
(a) installing by a researcher a specialized software stack locally, said specialized software stack required for testing said computer system (Fig. 1 and Col 7 lines 35-57 teach a plurality of researcher computers coupled via network to the launch point computer, wherein Col 7 lines 58-67 teach each of the researcher computers are coupled indirectly to the launch point network from local area networks or the like, and wherein Col 8 lines 17-52 teach the computers are granted access to the launch point for performing testing through the network via one or more computer programs and software elements);  
(b) inputting by a customer using one or more user interface (UI) screens, a target brief into an issues reporting platform (Fig. 1 and Col 4 lines 8-16 teach a service provider having a contractual relationships with third party owners of computer systems, wherein Col 4 lines 25-29 teach a third party computing system owner can produce records of the applications that they wish to have evaluated for computer vulnerabilities; see also: Col 13 lines 9-32, Col 14 lines 59-63), 
said target brief containing instructions for said researcher for accessing said computer system (Fig. 1 and Col 5 lines 34-40 teach providing a summary of a record of a particular computer vulnerability project and access location of the service provider to the particular researcher, and optionally zero other researcher, wherein Col 4 lines 25-29 teach a third party computing system owner can produce records of the applications that they wish to have evaluated for computer vulnerabilities, wherein Col 13 lines 9-32 describe the application interface utilized by the computing system owning customer to access the project information; see also: Col 14 lines 59-63), 
wherein said researcher performs said accessing via login credentials on said computer system (Col 8 lines 17-39 teach the researcher computers are granted access to the Launch Point computer through providing credentials, as well as in Col 10 lines 20-36 teach granting access to a researcher to a web portal for web applications that are within the scope of the project), 
wherein said researcher performs said testing using said specialized software stack (Col 5 lines 14-55 teach the researchers receive access credentials for a computer or application associated with the service provider through the Launch Point, as well as Col 5 line 66 to Col 6 line 16 teach logging and monitoring the researcher as the access the target computer system for the vulnerability research project, as well as in Col 10 lines 20-36 teach granting access to a researcher to a web portal for web applications that are within the scope of the project, including obfuscating the identity of the customer that the researcher is attacking), 
and wherein said researcher discovers a vulnerability that exposes said computer system to an attack (Fig. 1 and Col 5 line 56 to Col 6 line 16 teach the researcher is granted access to the target computer system to perform the particular vulnerability project, wherein the project can be a single researcher or multiple researchers competing to find vulnerabilities, and wherein Col 1 lines 43-53 teaches the vulnerability is to all known attacks, malware, and viruses); 
(c) inputting a submission by said researcher using one or more UI screens, into said issues reporting platform (Col 6 lines 29-37 teach receiving a report of a candidate security vulnerability from a particular researcher, wherein the report specifies the vulnerability and identifies the target system), said submission based on and containing steps required to reproduce said at least one issue associated with said target computer system (Col 6 lines 29-37 teach receiving a report of a candidate security vulnerability from a particular researcher, wherein Col 6 lines 40-43 teach the report contains a sequence of operations provided for re-performing the identified security vulnerability, and wherein Col 5 line 56 to Col 6 line 16 teach the researcher is granted access to the target computer system to perform the particular vulnerability project); 
(d) starting said timer when said submission is presented by a supervisor to said customer for a customer examination (Col 6 line 63 to Col 7 line 2 teach a report describing the vulnerability is provided to the owner of the computing system that was tested, wherein Col 13 lines 9-32 describe the application interface utilized by the computing system owning customer to access the project information including the report), 
said supervisor belonging to an entity distinct from said customer and said researcher (Col 4 lines 8-16 teach a service provider having a contractual relationship with a third party owner of a computer system and having a separate contractual relationship with a plurality of computer security researchers, as well as in Col 4 lines 53-67 teach the third party researchers are found from online forums, or even a website promoting the opportunities to participate in crowd sourced research project directed to computer vulnerabilities), 
to a 36bounty program run on said issues reporting platform (Col 3 lines 38-46 teach top security talent can be recruited and incentivized through bounties to discover security vulnerabilities in a variety of target applications and systems); 
 (e) paying said researcher based on a status of said submission…(Col 6 lines 38-62 teach that upon validating the completion of the vulnerability project by the researcher, then the researcher may be paid a fee), 
if said submission is not an informational finding (Col 6 lines 38-51 teach the researcher can submit a report, which can be evaluated and validated, wherein either the candidate security vulnerability was successfully validated or a negative report or message may be communicated to the researcher that further information is needed or the report appears to represent something other than a security vulnerability, wherein Col 6 lines 52-62 teach that if the report was successfully validated, then the researcher can be paid); 
(f) requesting more information on behalf of said customer from said researcher…(Col 11 lines 38-46 teach the evaluation of the vulnerability may also comprise verifying the quality of the submission and requesting more information if needed); 
 (h) informing said customer and said researcher and closing said submission…(Col 6 lines 63-67 teach notifying the third party system owner that the validated security vulnerability has been found by the researcher, and wherein Col 6 lines 38-62 teach that upon validating the completion of the vulnerability project by the researcher, then the researcher may be paid a fee); 
and (i) remediating said vulnerability in said computer system for preventing said attack, and thereby causing said improving of said computer system (Fig. 1 and Col 7 lines 3-11 teach the process comprises performing other remedial actions including security remediation operations on the host that the researcher identified in the report, wherein the operations include reconfiguring network topology, installing software updates, and more; see also: Col 7 lines 12-31).
Although Kaplan teaches portions of (e), (f), and (h), Kaplan does not explicitly teach wherein said supervisor is automatically assigned to said 34customer by said issues reporting platform based on a 35matching of one or more skills of said supervisor; (d) starting said timer when said submission is presented by a supervisor to said customer for a customer examination, wherein said matching is performed by machine learning; (e) paying said researcher based on a status of said submission as determined by said customer examination; (f) requesting more information on behalf of said customer from said researcher and restarting said timer based on said status of said submission; (g) automatically performing dispute resolution by said issues reporting platform and pausing said timer based on said status of said submission; and (h) informing said customer and said researcher and closing said submission based on a duration of time that said timer has been running relative to said timer length. 
From the same or similar field of endeavor, Rogers teaches (d) starting said timer when said submission is presented by 21a supervisor to said customer for a customer examination (paragraph [0030] teaches a clock may be shown to inform customers of the time remaining on a listing before the dispute is scheduled to be resolved or how long the dispute has been pending, wherein paragraph [0032] both the customer and the service provider (i.e. supervisor) can update the item as needed until resolution; see also: [0040-0042, 0050-0052]);
(f) requesting more information on behalf of said customer from said researcher and restarting said timer, based on said status of said submission (paragraph [0041] teaches that based on the findings, the user can choose to escalate the dispute, wherein the system timer restarts to track the amount of time of this new disputed item; see also: [0030-0042, 0050-0052]);
30(g) mediating by said supervisor and pausing said timer, based on said status of said submission (paragraph [0051] teaches a manager can stop the system timer if they believe the customer is correct in submitting the dispute, wherein paragraph [0052] after the dispute is closed, the customer can disagree and the system timer can restart; see also: [0040-0044])
and (h) informing said customer and said researcher and closing said submission based on a duration of time that said timer has been running relative to said timer length (paragraph [0051] teaches that if the representative of the service provider determines to change the status to close based on their findings, then the system timer is automatically stopped, wherein paragraph [0053] teaches the dispute items can be indicated based on a colored processing chart indicating the severity of the duration of time for the running of the item, which in paragraph [0061] can be tracked from the commencement of the beginning of the dispute to resolution).
While Rogers does not explicitly evaluate target testing related issues, Rogers presents a solution to a problem reasonably pertinent to the claimed invention. For example, as explained above, Kaplan addresses the testing and evaluation of a customer target for issues, as well as the customer dispute resolution associated with a customer inquiry for additional information; however, Kaplan does not explicitly address the claimed manner of timing the customer. Rogers presents a solution to a problem reasonably pertinent to the claimed invention. In Kaplan, one is managing the relations between a customer and testing service platform for the identification of issues. Analogously, in Rogers, one is managing the relations between a user and a network platform for the resolution of issues. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kaplan to incorporate the teachings of Rogers to include (d) starting said timer when said submission is presented by 21a supervisor to said customer for a customer examination; 15/847,608 (BGC-102-US)Page 3 Amendment A22 (f) requesting more information on behalf of said customer from said researcher and restarting said timer, based on said status of said submission; 30(g) mediating by said supervisor and pausing said timer, based on said status of said submission; and (h) informing said customer and said researcher and closing said submission based on a duration of time that said timer has been running relative to said timer length. One would be motivated to do so in order to improve customer satisfaction and improve dispute processing times by allowing the user to interact directly with the service provider’s platform (Rogers, [0032]). By incorporating the method of Rogers into the teachings of Kaplan, one would avoid a problematic dispute between a customer and service provider by measuring the time of completion of the dispute in a singular version of the dispute communication (Rogers, [0002]).
Although Kaplan teaches (e) paying said researcher based on a 24status of said submission (see at least [0159, 0176, 0198]), the combination of Kaplan and Rogers does not explicitly teach wherein said supervisor is automatically assigned to said 34customer by said issues reporting platform based on a 35matching of one or more skills of said supervisor; wherein said matching is performed by machine learning; (e) paying said researcher based on a status of said submission as determined by said customer examination.
From the same or similar field of endeavor, Gupta teaches wherein said supervisor is automatically assigned to said 34customer by said issues reporting platform based on a 35matching of one or more skills of said supervisor ([0054] teaches training a machine learning algorithm to assign service requests, wherein [0055-0056] teach the machine learning algorithm can determine the skills required to resolve the service request, wherein the machine learning algorithm assigns the service request to an agent possessing the identified skills, wherein [0041] teaches service managers have an associated profile including their certifications, specific skills, skillset, and expertise in a particular area; see also: [0018, 0057-0058]);
wherein said matching is performed by machine learning ([0054] teaches training a machine learning algorithm to assign service requests, wherein [0055-0056] teach the machine learning algorithm can determine the skills required to resolve the service request, wherein the machine learning algorithm assigns the service request to an agent possessing the identified skills, as well as in [0018] teaches using machine learning to build service agent profiles to identify skill sets, process service request to identify associated skills, and assign service requests to agents based on the associated skills; see also: [0057-0058]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kaplan and Rogers to incorporate the teachings of Gupta to include wherein said supervisor is automatically assigned to said 34customer by said issues reporting platform based on a 35matching of one or more skills of said supervisor; wherein said matching is performed by machine learning. One would have been motivated to do so in order to identify the best agent to handle the request based on their skill profile (Gupta, [0040]). By incorporating the teachings of Gupta, one would have been able to assign service requests faster and more efficiently by using machine learning to match agent profiles (Gupta, [0018]).
However, the combination of Kaplan, Rogers, and Gupta does not explicitly teach (e) paying said researcher based on a status of said submission as determined by said customer examination.
From the same or similar field of endeavor, Bhaskaran teaches (e) paying said researcher based on a 24status of said submission as determined by said customer 25examination (paragraph [0360] teaches the Project Manager can raise customer invoices at the end of each sprint once all Spring deliverables have been accepted (i.e. based on status of said submission) by the Customer, wherein Fig. 30-1 and paragraph [0151] teach producing a report that lists all invoices and payment status, wherein paragraph [0238] the freelancers are paid at the end of each sprint; see also: [0197-0199, 0242-0245]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kaplan, Rogers, and Gupta to incorporate the teachings of Bhaskaran to include (e) paying said researcher based on a 24status of said submission as determined by said customer 25examination. One would be motivated to do so in order to provide accuracy rating indicating the Project Manager’s diligence on a specific contract in making payments for the freelance that are consistently accurate throughout the life of the contract (Bhaskaran, [0285]). By incorporating Bhaskaran into the teachings of Kaplan, one would yield appropriately positive customer satisfaction feedback based on the finished project, thus leading to an improved new business potential for the Project Manager (Bhaskaran, [0189]).  
Regarding claim 11, the claim recites limitations already addressed by the rejection of claim 1. Regarding claim 11, Kaplan teaches a crowdsourced platform for improved expectation setting 2between a community of customers and a community of 3researchers (Col 4 lines 8-16 teach a service provider having a contractual relationship with a third party owner of a computer system and having a separate contractual relationship with a plurality of computer security researchers), said platform comprising at least one memory 4device storing computer-readable instructions, at least one 5microprocessor coupled to said at least one memory device for 6executing said instructions (Col 15 lines 53-62 teach a memory storing instructions to be executed by a processor) said at least one microprocessor 7configured to. 89. Therefore, the rejection of claim 1 as being unpatentable over Kaplan in view of Rogers in view of Gupta in view of Bhaskaran applies to claim 11.

Regarding claims 7 and 17, the combination of Kaplan, Rogers, Gupta, and Bhaskaran teaches all the limitations of claims 1 and 11 above.
	Kaplan further teaches said issues reporting 2platform is hosted in one of a private cloud (Col 4 lines 31-39 teach testing for security and network vulnerability for cloud computing instances).

	Regarding claim 8, the combination of Kaplan, Rogers, Gupta, and Bhaskaran teaches all the limitations of claim 1 above.
Kaplan further teaches first performing a third-party examination by said supervisor in said step (d) to 3determine if said submission is valid before said starting 4of said timer (Col 6 lines 38-62 teach that upon validating the completion of the vulnerability project by the researcher, then the researcher may be paid a fee, and wherein Col 14 lines 59-63 teach providing researchers with awards based on their achievements, wherein the awards can be given over a particular reward period, such as a particular month).

Regarding claim 10, the combination of Kaplan, Rogers, Gupta, and Bhaskaran teaches all the limitations of claim 1 above.
Kaplan further teaches CocConsaid issues reporting 2platform performs its functions in one of a partially 3automated and a fully automated manner (Col 5 line 66 to Col 6 line 16 teach logging and monitoring the researcher as the access the target computer system for the vulnerability research project (i.e. partially automated), and wherein Col 8 lines 53-67 teach an automatic scanning system that can be coupled to the network requiring testing).  

Regarding claim 18, the combination of Kaplan, Rogers, Gupta, and Bhaskaran teaches all the limitations of claim 11 above.
Kaplan further teaches ssssaid supervisor performs 2a third-party examination on said submission to determine 3if said submission is valid (Col 6 lines 38-62 teach that upon validating the completion of the vulnerability project by the researcher, then the researcher may be paid a fee, and wherein Col 14 lines 59-63 teach providing researchers with awards based on their achievements, wherein the awards can be given over a particular reward period, such as a particular month).

Claims 4-5, 9, 14-15, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Kaplan et al. (US 10915636 B1) in view of Rogers (US 20080162368 A1) in view of Gupta et al. (US 20190102723 A1) in view of Bhaskaran et al. (US 20180365628 A1) and further in view of Wescoe et al. (US 10,243,904 B1).

1Regarding claims 4 and 14, the combination of Kaplan, Rogers, Gupta, and Bhaskaran teaches all the limitations of claims 1 and 11 above.
However, Kaplan does not explicitly teach said computer system is an internet 2of things (IOT) device.  
From the same or similar field of endeavor, Wescoe teaches said computer system is an internet 2of things (IOT) device (Col 4 lines 20-23 teach the electronic device can be any number of devices that are internet-of-things, wherein Col 3 lines 17-25 teach the device is tested for cybersecurity).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kaplan, Rogers, Gupta, and Bhaskaran to incorporate the teachings of Wescoe to include said computer system is an internet 2of things (IOT) device.  One would be motivated to do so in order to produce more accurate results for the simulated phishing campaign, which will in turn get the most value out of their efforts (Wescoe, Col 1 lines 32-37). By incorporating Wescoe into the combination, one would expose cybersecurity risks and reduce the likelihood of enabling unauthorized third parties from accessing the organization’s systems (Wescoe, Col 1 lines 11-15, 26-31). 

Regarding claim 5, the combination of Kaplan, Rogers, Gupta, and Bhaskaran teaches all the limitations of claim 4 above.
However, Kaplan does not explicitly teach wherein said IOT device is a 2smart-fridge.  
From the same or similar field of endeavor, Wescoe further teaches wherein said IOT device is a 2smart-fridge (Col 4 lines 20-23 teach the electronic device can be an internet-of-things including a smart refrigerator, wherein Col 3 lines 17-25 teach the device is tested for cybersecurity).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kaplan, Rogers, Gupta, and Bhaskaran to incorporate the teachings of Wescoe to include wherein said IOT device is a 2smart-fridge. One would be motivated to do so in order to produce more accurate results for the simulated phishing campaign, which will in turn get the most value out of their efforts (Wescoe, Col 1 lines 32-37). By incorporating Wescoe into the combination, one would expose cybersecurity risks and reduce the likelihood of enabling unauthorized third parties from accessing the organization’s systems (Wescoe, Col 1 lines 11-15, 26-31). 



	Regarding claims 9 and 19, the combination of Kaplan, Rogers, Gupta, and Bhaskaran teach all the limitations of claims 8 and 18 above.
	However, Kaplan does not explicitly teach one or both of 2supervised and unsupervised machine learning are utilized during said third-party examination (Col 5 lines 11-26 teach building a machine learning model that can determine the legitimacy of the exposed, potentially malicious threat, which is done as an automated analysis).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kaplan, Rogers, Gupta, and Bhaskaran to incorporate the teachings of Wescoe to include one or both of 2supervised and unsupervised machine learning are utilized during said third-party examination. One would be motivated to do so in order to produce more accurate results for the simulated phishing campaign, which will in turn get the most value out of their efforts (Wescoe, Col 1 lines 32-37). By incorporating Wescoe into the combination, one would expose cybersecurity risks and reduce the likelihood of enabling unauthorized third parties from accessing the organization’s systems (Wescoe, Col 1 lines 11-15, 26-31).

Regarding claim 15, the combination of Kaplan, Rogers, Gupta, and Bhaskaran teaches all the limitations of claim 14 above.
However, Kaplan does not explicitly teach wherein said IOT device is 2a smart-thermostat.  
From the same or similar field of endeavor, Wescoe teaches wherein said IOT device is 2a smart-thermostat (Col 4 lines 20-23 teach the electronic device can be an internet-of-things including a smart thermostat, wherein Col 3 lines 17-25 teach the device is tested for cybersecurity).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kaplan, Rogers, Gupta, and Bhaskaran to incorporate the teachings of Wescoe to include wherein said IOT device is 2a smart-thermostat. One would be motivated to do so in order to produce more accurate results for the simulated phishing campaign, which will in turn get the most value out of their efforts (Wescoe, Col 1 lines 32-37). By incorporating Wescoe into the combination, one would expose cybersecurity risks and reduce the likelihood of enabling unauthorized third parties from accessing the organization’s systems (Wescoe, Col 1 lines 11-15, 26-31).
Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Kaplan et al. (US 10915636 B1) in view of Rogers (US 20080162368 A1) in view of Gupta et al. (US 20190102723 A1) in view of Bhaskaran et al. (US 20180365628 A1).

1Regarding claims 6 and 16, the combination of Kaplan, Rogers, Gupta, and Bhaskaran teaches all the limitations of claim 1 above.
However, Kaplan does not explicitly teach said timer length represents 2a response-time for a service level agreement (SLA) 3between said customer and said researcher.
From the same or similar field of endeavor, King teaches said timer length represents 2a response-time for a service level agreement (SLA) 3between said customer and said researcher (paragraph [0117] teaches the service provider professionals and the customer have an executed service level agreement including analysis and notification of threats within a specified time limit and period reporting requirements).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kaplan, Rogers, Gupta, and Bhaskaran to incorporate the teachings of King to include said timer length represents 2a response-time for a service level agreement (SLA) 3between said customer and said researcher. One would be motivated to do so in order to assist the customer in acting on vulnerabilities and security breaches detected, wherein the user has to analyze and respond to the threats in a specified time limit (King, [0117]). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Kislaki et al. (US 10380516 B1) discloses using a machine learning system to match customer service inquiries
Kan et al. (US 20170155769 A1) discloses using artificial intelligence pairing solutions to optimize case assignments 
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Sara G Brown whose telephone number is (469)295-9145. The examiner can normally be reached M-Th 8:00 am- 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Epstein can be reached on (571) 270-5389. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/S.G.B./Examiner, Art Unit 3683                                                                                                                                                                                                        




/BRIAN M EPSTEIN/Supervisory Patent Examiner, Art Unit 3683