Venice, June 30 - July 4, 2025
10th IEEE European Symposium on Security and Privacy
https://eurosp2025.ieee-security.org


Call For Papers

The IEEE European Symposium on Security and Privacy (Euro S&P) is the
younger, more adventurous, and tastier sibling conference of the IEEE
Symposium on Security and Privacy ("Oakland" or "NorCal S&P")
conference. It is a premier forum for computer security and privacy
research, presenting the latest developments and bringing together
researchers and practitioners.

We solicit previously unpublished papers offering novel research
contributions in security or privacy, as well as Systematization of
Knowledge papers that systematize previous results. EuroS&P is
interested in all aspects of applied computer security and privacy. We
especially encourage papers that are far-reaching and risky, provided
those papers show sufficient promise for creating interesting
discussions and usefully questioning widely-held beliefs. Papers
without a clear connection to security or privacy will be considered
out of scope and may be rejected without full review.  Conference
Expectations

Since its inception, EuroS&P has been running as a single-track
conference. We believe that maintaining the engagement and
sense-of-community benefits that come from a single-track conference
is very beneficial. At the same time, we expect that with the rising
number of submissions, the time allocated to each will decrease more
and more. Therefore, at the time of publishing the CfP, we can neither
commit to a single-track conference nor to the length of presentations
at the conference.

We aim for a review process that will be rigorous and thorough,
resulting in the acceptance of every paper with scientific merit and
sufficient value to the community, and incorporate a four-week
revision opportunity in which the PC assists authors to try to get as
many papers as possible to the level needed.  

Revision Option

EuroS&P features the option to revise papers for which the program
committee sees a path for revision that is likely to lead to
acceptance, even though the initial submission was not considered
acceptable. If authors who are invited to do so wish to submit a
revised paper, they must do so within four weeks of the
notification. Revised papers will be re-reviewed by the same reviewers
who reviewed the original submission. Neither acceptance with
shepherding nor an invitation to submit a revised paper implies that
eventual acceptance is certain.

New in 2025: Per-Reviewer Responses

Almost all major security and privacy conferences feature an
author-response phase, sometimes including interactive exchanges
between authors and reviewers. As chairs, we have experienced this
process to be challenging for both authors and reviewers; authors need
to fit their response into a short word limit and reviewers must
untangle the answers to their questions from the dense responses. To
improve on this, EuroS&P 2025 will feature per-reviewer
responses. Reviewers will be asked to provide a limited set of
explicit questions that the response should focus on. Authors are then
expected to solely focus on the questions as well as factual
errors. To ensure timely responses, we will provide the reviews for
all papers which advance to Round 2 and will subsequently give authors
approx. three working days to respond to the initial Round 1
reviews. Then, after Round 2, authors will be provided with all
additional reviews and can respond to the new ones. Note that papers
rejected after Round 1 will not be able to provide responses.

With this change, we hope to improve on the communication between
individual reviewers and authors, but also to provide reviewers to
read the responses with the papers still fresh in their minds rather
than weeks after submitting their Round 1 reviews.

Returning from 2024: Meta Reviews


The discussions about individual papers are conducted “behind closed
doors” within the set of reviewers. In the best case, reviewers will
leave a summary of the discussion visible exclusively to the
authors. To facilitate more transparency in the process of accepting
papers, EuroS&P 2025 will feature a publicly available meta review
(accessible through the EuroS&P website) for each accepted paper. This
meta review will outline the PC’s main reasons for accepting the paper
and may also contain limitations the PC identified.  

Systematization of Knowledge Papers

We solicit systematization of knowledge (SoK) papers that evaluate,
systematize, and contextualize existing knowledge, as such papers can
provide a high value to our community. Suitable papers are those that
provide an important new viewpoint on an established, major research
area; support or challenge long-held beliefs in such an area with
compelling evidence; or present a convincing, comprehensive new
taxonomy of such an area. Survey papers without such insights are not
appropriate.

Submissions will be distinguished by the prefix "SoK:" in the title on
the submission form. They will be reviewed by the full PC and held to
the same standards as traditional research papers, except instead of
emphasizing novel research contributions, the emphasis will be on
their value to the community. Accepted papers will be presented at the
symposium and included in the proceedings.

Paper Awards

Outstanding papers will be selected by the program committee for paper
awards. The award finalists and winners will be announced at the
symposium.

Important Dates

All deadlines are Anywhere on Earth (AoE = UTC-12h).

Research Papers 	Registration deadline (incl. topics and abstracts)
	     		21 October 2024 (Monday) 
	Submission deadline 	24 October 2024 (Thursday) 
	Early rejection notification 	11 December 2024 (Wednesday)
	R1 Rebuttal period 	12 December - 16 December 2024 (Monday)
	R2 Rebuttal period 	20 - 23 January 2025 (Monday to Thursday)
	Author Notification 	13 February 2025 (Thursday)
	Submission of revised papers 	20 March 2025 (Thursday)
	Revision Decisions 	3 April 2025 (Thursday)
	Camera-ready deadline 	tentatively: 17 April 2025 (Thursday)

Conference 	Venice, Italy 	30 June - 4 July 2025  

Proactive Prevention of Harm

We expect authors to carefully consider and address the potential
harms associated with carrying out their research, as well as the
potential negative consequences that could stem from publishing their
work. Failure to adequately discuss such potential harms within the
body of the submission may result in rejection of a submission,
regardless of its quality and scientific value.

Although risking to cause harm is sometimes a necessary and legitimate
aspect of scientific research in computer security and privacy,
authors are expected to document how they addressed and mitigated such
risks. This includes, but is not limited to, considering the impact of
the research on deployed systems, understanding the costs the research
imposes on others, safely and appropriately collecting data, and
following responsible disclosure practices. Papers should include a
clear statement as to how the benefit of the research outweighs the
potential harms, and how the authors have taken measures and followed
best practices to ensure safety and minimize the potential harms
caused by their research.

If the submitted research has potential to cause harm, and authors
have access to an Institutional Review Board (IRB), we expect that
this IRB was consulted appropriately and that its approval and
recommendations are documented in the paper. We note that IRBs are not
necessarily well-versed in computer security research and may not know
the best practices and community norms in our field, so IRB approval
does not absolve researchers from considering ethical aspects of their
work. In particular, IRB approval is not sufficient to guarantee that
the PC will not have additional concerns with respect to harms
associated with the research.

We encourage authors to consult existing documentation, e.g., Common
Pitfalls in Writing about Security and Privacy Human Subjects
Experiments, and How to Avoid Them or the Menlo Report and existing
Safety consultation entities, e.g., the Tor Safety Research
Board. These can help in thinking about potential harms, and in
designing the safest experiments and disclosure processes.

Open Science Expectations

Our expectation for Euro S&P is that researchers will maximize the
scientific and community value of their work by making it as open as
possible. This means that, by default, all of the code, data, and
other materials (such as survey instruments) needed to reproduce your
work described in an accepted paper will be released publicly under an
open source license. Sometimes it is not possible to share work this
openly, such as when it involves malware samples, data from human
subjects that must be protected, or proprietary data obtained under
agreement that preclude publishing the data itself. All submissions
must therefore include a clear statement on Data Availability (as a
separate appendix which does not count towards the page limit) that
explains how the artifacts needed to reproduce their work will be
shared, or an explanation of why they will not be shared. The Program
Chairs will hold authors to the commitments made in their submissions,
and papers that fail to satisfy these commitments may be removed from
the conference.

Plagiarism and Duplicate Submission

All submissions must be original work. Plagiarism (whether of others
or self) will be grounds for rejection. The submission must clearly
document any overlap with previously published or simultaneously
submitted papers from any of the authors. Failure to point out and
explain overlap will be grounds for rejection.

Simultaneous submission of the same or substantially similar paper to
another venue with proceedings or a journal is not allowed and will be
grounds for automatic rejection.

Anonymous Submission

Papers must be submitted in a form suitable for anonymous review: no
author names or affiliations may appear on the title page, and papers
should avoid revealing their identity in the text. When referring to
your previous work, do so in the third person, as though it were
written by someone else. References should only be blinded in the
(unusual) case that a third-person reference is infeasible. Any source
code or other material (e.g., data sets) which requires hosting must
use anonymous services. This explicitly excludes hosting on Github
(which may leak author identities) or Google Drive (which could leak
reviewer identities). Instead, authors are encouraged to use services
such Anonymous Github. Contact the program chairs if you have any
questions. Papers that are not properly anonymized may be rejected
without review.

The purpose of anonymous submissions is to give reviewers the chance to read the paper without being biased by knowing the authors. Hence authors are required to ensure that the paper they submit does not, within reason, leak their identity.

However, the process of anonymous submission is considered to be
cooperative, not adversarial. Authors should not put explicit clues to
their identity in the paper or otherwise purposefully deanonymize
themselves to reviewers. Authors who think disclosing revealing
aspects of their identities or setting would be important for
positioning the paper, should consult with the PC chairs on how to do
this in their submission. Reviewers are trusted to not actively look
for the identity of authors, for instance by searching the internet
for the paper title. By policy, authors may post their paper to public
"preprint" archives (including arxiv) before, during, or after the
review period.

The Program Chairs will reject papers that, in their sole judgment,
blatantly violate the requirement for author anonymity.

Reviews from Prior Submissions

For papers that were previously submitted to, and rejected from,
another conference, authors may optionally submit a separate document
containing the (anonymized, but otherwise unedited) prior reviews
along with a description of how those reviews were addressed in the
current version of the paper.

To avoid biasing reviewers, reviewers will only see the provided
supplementary material after submitting their own review. Then,
reviewers will be able to see the submitted previous reviews, and may
revise their review as a result.

Page Limit and Formatting

Papers shall not exceed 13 pages of body text, with unlimited
additional pages for references and appendices. The statement on Data
Availability should be part of the appendix, and does not count
towards the page limit. Reviewers are explicitly not expected to read
the appendices while deciding whether to accept or reject the paper.

Papers must be typeset in LaTeX in A4 format (not "US Letter") using
the IEEE conference proceeding template we supply eurosp-template.zip
Please do not use other IEEE templates.

Submissions must be in Portable Document Format (.pdf). Authors should
pay special attention to unusual fonts, images, and figures that might
create problems for reviewers. Your document should render correctly
in Adobe Reader XI and when printed in black and white.

Failure to adhere to the page limit and formatting requirements can be
grounds for rejection without review.

Conference Submission Server

Papers must be submitted at
https://hotcrp.eurosp2025.ieee-security.org and may be updated at any
time until the submission deadline expires.

Publication and Presentation

Authors are responsible for obtaining appropriate publication
clearances. One of the authors of the accepted paper is expected to
present the paper at the conference. We are expecting to hold an
in-person conference and that authors will be able to travel to the
conference to present their paper. In case this is not possible, at
least one author still must register for the conference, but unless a
replacement for the presenter can be found, the presentation will be
skipped. Instead, EuroS&P will offer to link to a video presentation
from its website.