We expect authors to carefully consider and address the potential harms associated with carrying out their research, as well as the potential negative consequences that could stem from publishing their work. Failure to adequately discuss such potential harms within the body of the submission may result in rejection of a submission, regardless of its quality and scientific value.

Although risking to cause harm is sometimes a necessary and legitimate aspect of scientific research in computer security and privacy, authors are expected to document how they addressed and mitigated such risks. This includes, but is not limited to, considering the impact of the research on deployed systems, understanding the costs the research imposes on others, safely and appropriately collecting data, and following responsible disclosure practices. Papers should include a clear statement as to how the benefit of the research outweighs the potential harms, and how the authors have taken measures and followed best practices to ensure safety and minimize the potential harms caused by their research.

If the submitted research has potential to cause harm, and authors have access to an Institutional Review Board (IRB), we expect that this IRB was consulted appropriately and that its approval and recommendations are documented in the paper. We note that IRBs are not necessarily well-versed in computer security research and may not know the best practices and community norms in our field, so IRB approval does not absolve researchers from considering ethical aspects of their work. In particular, IRB approval is not sufficient to guarantee that the PC will not have additional concerns with respect to harms associated with the research.

We encourage authors to consult existing documentation, e.g., Common Pitfalls in Writing about Security and Privacy Human Subjects Experiments, and How to Avoid Them or the Menlo Report and existing Safety consultation entities, e.g., the Tor Safety Research Board. These can help in thinking about potential harms, and in designing the safest experiments and disclosure processes.

Our expectation for Euro S&P is that researchers will maximize the scientific and community value of their work by making it as open as possible. This means that, by default, all of the code, data, and other materials (such as survey instruments) needed to reproduce your work described in an accepted paper will be released publicly under an open source license. Sometimes it is not possible to share work this openly, such as when it involves malware samples, data from human subjects that must be protected, or proprietary data obtained under agreement that preclude publishing the data itself. All submissions should therefore include a clear statement on Data Availability that explains how the artifacts needed to reproduce their work will be shared, or an explanation of why they will not be shared. The Program Chairs will hold authors to the commitments made in their submissions, and papers that fail to satisfy these commitments may be removed from the conference.

All submissions must be original work. Plagiarism (whether of others or self) will be grounds for rejection. The submission must clearly document any overlap with previously published or simultaneously submitted papers from any of the authors. Failure to point out and explain overlap will be grounds for rejection.

Simultaneous submission of the same or substantially similar paper to another venue with proceedings or a journal is not allowed and will be grounds for automatic rejection.

Papers must be submitted in a form suitable for anonymous review: no author names or affiliations may appear on the title page, and papers should avoid revealing their identity in the text. When referring to your previous work, do so in the third person, as though it were written by someone else. References should only be blinded in the (unusual) case that a third-person reference is infeasible. Contact the program chairs if you have any questions. Papers that are not properly anonymized may be rejected without review.

The purpose of anonymous submissions is to give reviewers the chance to read the paper without being biased by knowing the authors. Hence authors are required to ensure that the paper they submit does not, within reason, leak their identity.

However, the process of anonymous submission is considered to be cooperative, not adversarial. Authors should not put explicit clues to their identity in the paper or otherwise purposefully deanonymize themselves to reviewers. Authors who think disclosing revealing aspects of their identities or setting would be important for positioning the paper, should consult with the PC chairs on how to do this in their submission. Reviewers are trusted to not actively look for the identity of authors, for instance by searching the internet for the paper title. By policy, authors may post their paper to public “preprint” archives (including arxiv) before, during, or after the review period.

The Program Chairs will reject papers that, in their sole judgment, blatantly violate the requirement for author anonymity.