DETAILED ACTION
	Claims 1-25 are presented on 12/23/2022 for examination on merits.  Claims 1, 12, and 20 are independent base claims. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Applicant Arguments/Remarks or a section following the Remarks.

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted for examination on merits is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner. See the annotated 1449 documents.

Claim Objections
Claim 1, 12, 20 are objected to because of the following informalities: 
Claims 1, 12, and 20 each recite a limitation for “a computing system manufacturer computing system” deficiently.  The Examiner suggests changing the limitation to “a computer manufacturer’s computing system.” 
Claims 1, 12, and 20 each recite a limitation for “an enterprise information technology (IT) computing system” deficiently.  The Examiner suggests changing the limitation to “an enterprise computing system” because information technology (IT) is typically an integral part of any computing system and thus redundant in the limitation.
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-25 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.
The rationale for this determination is explained below:  
First – following Step 1 of the guidance, claims 1-25 are directed to an apparatus with a processor coupled with memory, a method comprising a series of functional steps, or non-transitory computer readable medium.  Therefore, the claimed invention falls into one of the four statutory categories.
Secondly – following Step 2 of the guidance, claims 1-25 are analyzed for its underlying inventive concept with a new two-prong inquiry (1) does the claim recite an abstract idea, law of nature, or natural phenomenon, and/or judicial exceptions? And (2) does the claim recite additional elements that integrate the judicial exception into a practical application?
It is determined that claimed invention is directed to an abstract idea or at least one of the judicial exceptions, because the concept of the invention is basically publishing and using a created token to prevent an exploit of a vulnerability affecting the selected one or more features; the first prone of the inquiry.  The idea is similar to one or more mental processes – concepts performed in the human mind (including an observation, evaluation, judgment, opinion), because a derivation token is essentially a numeric string associated with selected features, which may be identified by a human being via observation and evaluation.  
Regarding the second prone, the identified additional elements – computer systems to integrate the idea of “using a created token to prevent an exploit of a vulnerability” into a practical application.  
The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the claim merely recites executable program, processor and memory that may reside in a single computer system.  These elements only perform functions of a general computer such as receiving, retrieving, and storing data.  Further, the claim 1 does not recite an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or meaningful limitations beyond generally linking the use of an abstract idea to a particular technological environment.  Therefore, the claim is abstract without significantly more.
Dependent claims 1-11, 13-19, and 21-25, when analyzed individually or as a whole, are held to be patent ineligible under 35 U.S.C. 101 because, the additional recited limitation(s) fail(s) to amount to “significantly more” than the judicial exception, and thereby non-statutory.

Please see “The 2019 Revised Patent Subject Matter Eligibility Guidance (or “2019 PEG” for short) published in January 2019 at USPTO Website.  Note that the groupings of abstract ideas in the 2019 PEG are not the same as those on the Abstract Ideas QRS or in the MPEP. The groupings in the 2019 PEG should be FOLLOWED for identifying abstract ideas. The 2019 PEG does not change the analysis at Step 2B which pertains to an improvement to conventional functioning of a computer or to technological processes; see also MPEP 2106.05(a).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-3, 5, 10-13, 15, and 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over Buckingham (US 11120450 B1; hereinafter “Buck”) in view of Biswas (US 20170337355 A1).

As per claim 1, Buck teaches an apparatus comprising: 
a processing device (Buck, col. 5, lines 13-20: the service computing device(s) 106; col. 14, lines 45-53); and 
a memory device coupled to the processing device, the memory device having instructions stored thereon that, in response to execution by the processing device (Buck, col. 14, lines 44-63), cause the processing device to: 
generate a deprivation token to cause disabling of a selected one or more features of a component of a computing system to prevent an exploit of a vulnerability affecting the selected one or more features (Buck, col. 7, lines 28-30: the token may have a time-to-live (TTL) such that the token may be valid for a period of time following its generation; Buck discloses the risk metric 116 may be re-evaluated and/or the second set of feature(s) 110 may be determined dynamically, e.g., in real time, with respect to receiving the indication of the requested change(s), and the user 102 may be informed of the updated second set of feature(s) 110 dynamically with respect to the determination of the updated second set of feature(s) 110; col. 14, lines 17-23); and 
However, Buck does not explicitly disclose the token representing a selected one or more features being sent to or published to prevent an exploit of a vulnerability affecting the selected one or more features.
In a related art, Biswas teaches:
publish the derivation token to at least one of a computing system manufacturer computing system and an enterprise information technology (IT) computing system (Biswas, par. 0112: the IMS 210 performs the step 334 of sending/[publishing] the new access token to the feature manager 206; par. 0113: With the new access token, the client device 102 identifies the new feature set ID and utilize the new feature set ID in conjunction with the updated master feature registry to activate features the user is permitted to access (including the new feature(s)).).
Buck and Bitwas are analogous art, because they are in a similar field of endeavor in improving the use of tokens for risk management.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and modify Buck’s system with Bitwas’ technique for sending/publishing updated token of selected features to prevent an exploit of a vulnerability.  For this combination, the motivation would have been to improve the level of security with known vulnerable features turned off.

As per claim 2, the references as combined above teach the apparatus of claim 1, comprising instructions stored in the memory device that, in response to execution by the processing device, cause the processing device to: 
distribute the derivation token to the computing system (Biswas, par. 0112-0113: sending the updated access token to the feature manager 206 as well as the client device 102).

As per claim 3, the references as combined above teach the apparatus of claim 1, wherein the computing system comprises at least one of an affected enterprise computing system and a personal computing system (note that an optional limitation is recited herein) (Biswas, par. 0112-0113: sending the updated access token to … the client device 102).

As per claim 5, the references as combined above teach the apparatus of claim 1, comprising instructions stored in the memory device that, in response to execution by the processing device, cause the processing device to determine if the vulnerability exists for the selected one or more features (Buck, col. 1, lines 48-52: the risk metric indicating a risk of fraud associated with the at least one account operating with the first set of features; selecting a second set of features for the at least one account based at least partly on the risk metric;).

As per claim 10, the references as combined above teach the apparatus of claim 1, wherein the component comprises a processor and the feature is a hardware capability of the processor (Buck, col. 16, lines 21-43: the processor … [with] parallel processing capabilities, shared storage resources, shared networking capabilities, or other aspects.).

As per claim 11, the references as combined above teach the apparatus of claim 1, comprising including the deprivation token in a firmware update to the computing system (Buck, col. 16, lines 44-65: creates an execution environment for the computer program in question, e.g., code that constitutes processor firmware).

Regarding claim 12, it is drawn to a computer-implemented method comprising the same limitations as claim 1.  Claim 12 is therefore rejected for the same reason as claim 1.

Regarding claim 13, it is drawn to a computer-implemented method of claim 12, comprising same limitations as claim 2.  Claim 13 is therefore rejected for the same reason as claim 2.

Regarding claim 15, it recites the same limitation as claim 5. Therefore, claim 15 is therefore rejected for the same reason as claim 5.

Regarding claim 20, it is drawn to at least one non-transitory machine-readable storage medium comprising instructions that, when executed, cause at least one processor to perform the same steps as those in claim 1.  Claim 12 is therefore rejected for the same reason as claim 1.


Regarding claim 21, it is drawn to the at least one non-transitory machine-readable storage medium of claim 20, reciting the same limitation as claim 2, and therefore, claim 21 is rejected for the same reason as claim 2.

Allowable Subject Matter
Claims 4, 6-9, 14, 16-19, and 22-25 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claims 4, 14, and 22 each recite elements of “determining the selected one or more features that can be disabled, without causing the computing system to malfunction, at a time of design or manufacturing of the component.”  These elements, in combination with the other limitations in the base claims 1, 12, and 20, respectively, are not anticipated by, nor made obvious over the prior art of record.
Claims 6, 16, and 23 each recite elements of “wherein the deprivation token comprises a vulnerability identifier (ID), a valid time, one or more feature IDs, and a digital signature.”  These elements, in combination with the other limitations in the base claims 1, 12, and 20, respectively, are not anticipated by, nor made obvious over the prior art of record. Claims  7-9, 17-19, and 25 depend from claims 6, 16, and 23, and therefore are allowable.
Claim 24 recites a limitation for digitally signing the deprivation token prior to publishing the derivation token, which is not anticipated by, nor made obvious over the prior art of record, and therefore, claim 24 is allowable over the prior art of record.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        08/10/2022