= IEEE Symposium on Security and Privacy =

Infobox
- History: 1980–present
- Discipline: Computer security and privacy
- Abbreviation: IEEE S&P, IEEE SSP
- Publisher: IEEE
- Frequency: Annual

The IEEE Symposium on Security and Privacy (IEEE S&P, IEEE SSP), also known as the Oakland Conference, is an annual conference focusing on topics related to computer security and privacy. The conference was founded in 1980 by Stan Ames and George Davida and is considered to be among the top conferences in the field. The conference has a single track, meaning that all presentations and sessions are held sequentially in one venue. The conference also follows a double-blind review process, where both the authors' and reviewers' identities are concealed from each other to ensure impartiality and fairness during peer review process.

The conference started as a small workshop where researchers exchanged ideas on computer security and privacy, with an early emphasis on theoretical research. During these initial years, there was a divide between cryptographers and system security researchers, with cryptographers often leaving sessions focused on systems security. This issue was eventually addressed by combining cryptography and system security discussions in the same sessions. In 2011, the conference moved to San Francisco due to venue size concerns.

The conference has a low acceptance rate due to it having only a single track. The review process for the conference tends to evaluate the papers on a variety of criteria with a focus on novelty. In 2022, researchers interviewed reviewers from top security conferences like IEEE S&P and found that the review process of the conferences was exploitable due to inconsistent reviewing standards across reviewers. The reviewers recommended mentoring new reviewer with a focus on reviewing quality to mitigate this issue.

In 2021, researchers from the University of Minnesota submitted a paper to the conference where they tried to introduce bugs into the Linux kernel, a widely used operating system component without Institutional Review Board (IRB) approval. The paper was accepted and was scheduled to be published, however, after criticism from the Linux kernel community, the authors of the paper retracted the paper and issued a public apology. In response to this incident, IEEE S&P committed to adding a ethics review step in their paper review process and improving their documentation surrounding ethics declarations in research papers.

== History ==
The conference was initially conceived by researchers Stan Ames and George Davida in 1980 as a small workshop for discussing computer security and privacy. This workshop gradually evolved into a larger gathering within the field. Held initially at Claremont Resort, the first few iterations of the event witnessed a division between cryptographers and systems security researchers. Discussions during these early iterations predominantly focused on theoretical research, neglecting practical implementation considerations. This division persisted, to the extent that cryptographers would often leave sessions focused on systems security topics. In response, subsequent iterations of the conference integrated panels that encompassed both cryptography and systems security discussions within the same sessions. Over time, the conference's attendance grew, leading to a relocation to San Francisco in 2011 due to venue capacity limitations.

== Structure ==
IEEE Symposium on Security and Privacy considers papers from a wide range of topics related to computer security and privacy. Every year, a list of topics of interest is published by the program chairs of the conference which changes based on the trends in the field. In past meetings, IEEE Symposium on Security and Privacy have considered papers from topics like web security, online abuse, blockchain security, hardware security, malware analysis and artificial intelligence. The conference follows a single-track model for its proceedings, meaning only one session takes place at any given time. This approach deviates from the multi-track format commonly used in other security and privacy conferences, where multiple sessions on different topics run concurrently. Papers submitted for consideration to the conference reviewed using a double-blind process to ensure fairness. However, this model constrains the conference in the number of papers it can accept, resulting in a low acceptance rate often in the single digits, unlike conferences which may have rates in the range of 15 to 20 percent. In 2023, IEEE Symposium on Security and Privacy introduced a Research Ethics Committee that would screen papers submitted to the conference and flag instances of potential ethical violations in the submitted papers.

In 2022, a study conducted by Soneji et al. showed that review processes of top security conferences, including the IEEE Symposium on Security and Privacy were exploitable. The researchers interviewed 21 reviewers about the criteria they used to judge papers during the review process. Among these reviewers, 19 identified novelty whether the paper advanced the research problem or the state of the art as their primary criterion. Nine reviewers also the importance of technical soundness in the implementation, while seven mentioned the need for a self-contained and complete evaluation such that all identified areas were thoroughly explored. Additionally, six reviewers highlighted the importance of clear and effective writing in their assessments. Based on these interviews, the researchers identified a lack of objective criteria for paper evaluation and noted a degree of randomness among reviews provided by conference reviewers as the major weaknesses of the peer review process used by the conferences. To remediate this, the researchers recommended mentoring new reviewers with a focus on enhancing review quality rather than other productivity metrics. They acknowledged an initiative by IEEE S&P allowing PhD students and postdoctoral researchers to shadow reviewers on the program committee but also pointed out findings from a 2017 report suggesting that these students tended to be more critical in their assessments compared to experienced reviewers since they were not graded on review quality.

== Minnesota Linux kernel incident ==
In 2021, researchers from the University of Minnesota submitted a paper titled "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits" to the 42nd iteration of a conference. They aimed to highlight vulnerabilities in the review process of Linux kernel patches, and the paper was accepted for presentation in 2021. The Linux kernel is a widely used open-source operating system component that forms the core of the Linux operating system, which is a popular choice in servers and in consumer-oriented devices like the Steam Deck, Android and ChromeOS. Their methods involved writing patches for existing trivial bugs in the Linux kernel in ways such that they intentionally introduced security bugs into the software. Four patches were submitted by the researchers under pseudonyms, three of which were rejected by their respective code reviewers who correctly identified the buggy code. The fourth patch was merged, however, during a subsequent investigation it was found that the researchers had misunderstood the way the code worked and had submitted a valid fix. This attempt at including bugs was done without Institutional Review Board (IRB) approval. Despite undergoing review by the conference, this breach of ethical responsibilities was not detected during the paper's review process. This incident sparked criticism from the Linux community and the broader cybersecurity community. Greg Kroah-Hartman, one of the lead maintainers of the kernel, banned both the researchers and the university from making further contributions to the Linux project, ultimately leading the authors and the university to retract the paper and issue an apology to the community of Linux kernel developers. In response to this incident, IEEE S&P committed to adding a ethics review step in their paper review process and improving their documentation surrounding ethics declarations in research papers.
