DETAILED ACTION
The present application is being examined under the pre-AIA  first to invent provisions. 
Claims 1-20 are presented for examination.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-20 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over LaBumbard (U.S. Patent Application Publication Number 2012/0304300).
Regarding claim 1, LaBumbard discloses a method, comprising: receiving, by a vulnerability scoring engine executing on a processor, vulnerabilities detected in different vulnerability categories, the different vulnerability categories including vulnerabilities relating to aspects of a mobile device, vulnerabilities relating to communication between the mobile device and a server computer, and vulnerabilities relating to communication between the mobile device and a network service (paragraph 39, discover asset vulnerabilities, and paragraph 39, end-points, servers, applications, etc.); scoring, by the vulnerability scoring engine, each respective vulnerability of the vulnerabilities, wherein the scoring comprises: mapping the respective vulnerability to different groups of vulnerability characteristics, each of the vulnerability characteristics having an associated metric value (paragraphs 43-46, analyzes each result for metrics); determining, based on the associated metric value, a score for each group of vulnerability characteristics from the mapping (paragraph 47, CVSS scores); and generating, based on the score determined for each group of vulnerability characteristics, risk scores for the vulnerabilities across the different groups of vulnerability characteristics (paragraph 118, vulnerability correlation and prioritization); and providing, by the vulnerability scoring engine to a remediation engine, the vulnerabilities thus scored, wherein the risk scores are utilized by the remediation engine for remediation policy enforcement (paragraph 123, remediation).
LaBumbard does not explicitly state a delineation between first, second, and third vulnerability categories.  LaBumbard does make clear, however, that his system identifies cyber vulnerabilities across an entire network (see paragraph 15), where different scanning tools are designed for different asset types (see paragraph 39).  Further, as noted above, LaBumbard explicitly categorizes the different asset types so as to include end-points, servers, applications, etc.  As such, one of ordinary skill in the art, given the teachings of LaBumbard, would have known how to simply organize the vulnerabilities of different type into delineated categories.  Thus, it would have been obvious to one of ordinary skill in the art at the time of the applicant’s invention to modify the system of LaBumbard by adding the ability that the different vulnerability categories include a first vulnerability category, a second vulnerability category, and a third vulnerability category.
Regarding claim 2, LaBumbard discloses detecting the vulnerabilities through a plurality of vulnerability detection engines, each of the plurality of vulnerability detection engines in one of the different vulnerability categories (paragraph 39, scanning tools).
Regarding claim 3, LaBumbard discloses wherein the different vulnerability categories include a mobile device integrity vulnerability category, a mobile device data integrity vulnerability category, a mobile device application integrity vulnerability category, a mobile device malware vulnerability category, a security service vulnerability category, an application access vulnerability category, an environmental factor vulnerability category, and an active directory access vulnerability category (paragraph 39, scanning of end-points, servers, applications, databases, etc., and paragraph 52, scanning considers access, integrity, etc., where explicit categorization of any type of scanned vulnerability is considered obvious as discussed above).
Regarding claim 4, LaBumbard discloses wherein the mapping further comprises mapping the respective vulnerability to a base metric characteristic, a temporal characteristic, and an environmental characteristic (paragraphs 43-46, base, temporal, and environment score metrics).
Regarding claim 5, LaBumbard discloses generating a report containing the vulnerabilities thus scored for presentation on a user device (paragraph 39, vulnerability data displayed to user).
Regarding claim 6, LaBumbard discloses generating a dashboard for adjusting a remediation type, a remediation degree, or both that will be selected and performed automatically by the remediation engine (paragraph 39, remediation management application).
Regarding claim 7, LaBumbard discloses for each respective vulnerability of the vulnerabilities thus scored, determining a vulnerability policy or placing the respective vulnerability in a queue (paragraph 39, prioritizes vulnerabilities).
Regarding claim 8, LaBumbard discloses a system, comprising: a processor; a non-transitory computer-readable medium; and instructions stored on the non-transitory computer-readable medium and translatable by the processor for: receiving vulnerabilities detected in different vulnerability categories, the different vulnerability categories including vulnerabilities relating to aspects of a mobile device, vulnerabilities relating to communication between the mobile device and a server computer, and vulnerabilities relating to communication between the mobile device and a network service (paragraph 39, discover asset vulnerabilities, and paragraph 39, end-points, servers, applications, etc.); scoring each respective vulnerability of the vulnerabilities, wherein the scoring comprises: mapping the respective vulnerability to different groups of vulnerability characteristics, each of the vulnerability characteristics having an associated metric value (paragraphs 43-46, analyzes each result for metrics); determining, based on the associated metric value, a score for each group of vulnerability characteristics from the mapping (paragraph 47, CVSS scores); and generating, based on the score determined for each group of vulnerability characteristics, risk scores for the vulnerabilities across the different groups of vulnerability characteristics (paragraph 118, vulnerability correlation and prioritization); and providing, to a remediation engine, the vulnerabilities thus scored, wherein the risk scores are utilized by the remediation engine for remediation policy enforcement (paragraph 123, remediation).
LaBumbard does not explicitly state a delineation between first, second, and third vulnerability categories.  LaBumbard does make clear, however, that his system identifies cyber vulnerabilities across an entire network (see paragraph 15), where different scanning tools are designed for different asset types (see paragraph 39).  Further, as noted above, LaBumbard explicitly categorizes the different asset types so as to include end-points, servers, applications, etc.  As such, one of ordinary skill in the art, given the teachings of LaBumbard, would have known how to simply organize the vulnerabilities of different type into delineated categories.  Thus, it would have been obvious to one of ordinary skill in the art at the time of the applicant’s invention to modify the system of LaBumbard by adding the ability that the different vulnerability categories include a first vulnerability category, a second vulnerability category, and a third vulnerability category.
Regarding claim 9, LaBumbard discloses wherein the instructions are further translatable by the processor for: detecting the vulnerabilities through a plurality of vulnerability detection engines, each of the plurality of vulnerability detection engines in one of the different vulnerability categories (paragraph 39, scanning tools).
Regarding claim 10, LaBumbard discloses wherein the different vulnerability categories include a mobile device integrity vulnerability category, a mobile device data integrity vulnerability category, a mobile device application integrity vulnerability category, a mobile device malware vulnerability category, a security service vulnerability category, an application access vulnerability category, an environmental factor vulnerability category, and an active directory access vulnerability category (paragraph 39, scanning of end-points, servers, applications, databases, etc., and paragraph 52, scanning considers access, integrity, etc., where explicit categorization of any type of scanned vulnerability is considered obvious as discussed above).
Regarding claim 11, LaBumbard discloses wherein the mapping further comprises mapping the respective vulnerability to a base metric characteristic, a temporal characteristic, and an environmental characteristic (paragraphs 43-46, base, temporal, and environment score metrics).
Regarding claim 12, LaBumbard discloses wherein the instructions are further translatable by the processor for: generating a report containing the vulnerabilities thus scored for presentation on a user device (paragraph 39, vulnerability data displayed to user).
Regarding claim 13, LaBumbard discloses wherein the instructions are further translatable by the processor for: generating a dashboard for adjusting a remediation type, a remediation degree, or both that will be selected and performed automatically by the remediation engine (paragraph 39, remediation management application).
Regarding claim 14, LaBumbard discloses wherein the instructions are further translatable by the processor for: for each respective vulnerability of the vulnerabilities thus scored, determining a vulnerability policy or placing the respective vulnerability in a queue (paragraph 39, prioritizes vulnerabilities).
Regarding claim 15, LaBumbard discloses a computer program product comprising a non-transitory computer-readable medium storing instructions translatable by a processor for: receiving vulnerabilities detected in different vulnerability categories, the different vulnerability categories including vulnerabilities relating to aspects of a mobile device, vulnerabilities relating to communication between the mobile device and a server computer, and vulnerabilities relating to communication between the mobile device and a network service (paragraph 39, discover asset vulnerabilities, and paragraph 39, end-points, servers, applications, etc.); scoring each respective vulnerability of the vulnerabilities, wherein the scoring comprises: mapping the respective vulnerability to different groups of vulnerability characteristics, each of the vulnerability characteristics having an associated metric value (paragraphs 43-46, analyzes each result for metrics); determining, based on the associated metric value, a score for each group of vulnerability characteristics from the mapping (paragraph 47, CVSS scores); and generating, based on the score determined for each group of vulnerability characteristics, risk scores for the vulnerabilities across the different groups of vulnerability characteristics (paragraph 118, vulnerability correlation and prioritization); and providing, to a remediation engine, the vulnerabilities thus scored, wherein the risk scores are utilized by the remediation engine for remediation policy enforcement (paragraph 123, remediation).
LaBumbard does not explicitly state a delineation between first, second, and third vulnerability categories.  LaBumbard does make clear, however, that his system identifies cyber vulnerabilities across an entire network (see paragraph 15), where different scanning tools are designed for different asset types (see paragraph 39).  Further, as noted above, LaBumbard explicitly categorizes the different asset types so as to include end-points, servers, applications, etc.  As such, one of ordinary skill in the art, given the teachings of LaBumbard, would have known how to simply organize the vulnerabilities of different type into delineated categories.  Thus, it would have been obvious to one of ordinary skill in the art at the time of the applicant’s invention to modify the system of LaBumbard by adding the ability that the different vulnerability categories include a first vulnerability category, a second vulnerability category, and a third vulnerability category.
Regarding claim 16, LaBumbard discloses wherein the instructions are further translatable by the processor for: detecting the vulnerabilities through a plurality of vulnerability detection engines, each of the plurality of vulnerability detection engines in one of the different vulnerability categories (paragraph 39, scanning tools).
Regarding claim 17, LaBumbard discloses wherein the different vulnerability categories include a mobile device integrity vulnerability category, a mobile device data integrity vulnerability category, a mobile device application integrity vulnerability category, a mobile device malware vulnerability category, a security service vulnerability category, an application access vulnerability category, an environmental factor vulnerability category, and an active directory access vulnerability category (paragraph 39, scanning of end-points, servers, applications, databases, etc., and paragraph 52, scanning considers access, integrity, etc., where explicit categorization of any type of scanned vulnerability is considered obvious as discussed above).
Regarding claim 18, LaBumbard discloses wherein the mapping further comprises mapping the respective vulnerability to a base metric characteristic, a temporal characteristic, and an environmental characteristic (paragraphs 43-46, base, temporal, and environment score metrics).
Regarding claim 19, LaBumbard discloses wherein the instructions are further translatable by the processor for: generating a report containing the vulnerabilities thus scored for presentation on a user device (paragraph 39, vulnerability data displayed to user).
Regarding claim 20, LaBumbard discloses wherein the instructions are further translatable by the processor for: generating a dashboard for adjusting a remediation type, a remediation degree, or both that will be selected and performed automatically by the remediation engine (paragraph 39, remediation management application).

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-27 of U.S. Patent Number 10,686,819 and claims 1-20 of U.S. Patent Number 11,438,365.  Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the present application are a broader variation of the claims of the patents.  Where the claims of the patents do not include each and every limitation of the claims of the present application, the claims of the present application are rejected over the claims of the patents in view of the prior art as discussed above.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Victor Lesniewski/Primary Examiner, Art Unit 2493