Call for Papers
The SCORED workshop invites academia, industry, and governmental entities to submit original research papers and demos (hands-on or videos) concerning the security of software supply chains from both technical and policy perspectives.
Suggested topics include, but are not limited to:
- Attacks on the software supply chain
- Securing source control
- Trustworthy builds
- Reproducible builds
- Secure CI/CD
- Code signing
- Integrity for container images
- Package management security
- Code dependency tracking and patch propagation
- Software updates
- Developer identity management
- Code vulnerability tracking and disclosure as well as vulnerable code-clone detection
- Static analysis
- Hardware-assisted software supply chain integrity
- Software bills of materials (SBOMs)
- Specification of supply chain security policies
- Tools for securing the SW supply chain
- Interfacing the hardware and software supply chains
- Surveys or Systemization of Knowledge (SoK) of the SW supply chain security landscape
- Public policy around SW supply chain security
- SW supply chain security best practices
- Domain-specific software supply chains (voting, finance etc)
- Security economics
- Human behavioral and measurement studies, e.g. on the adoption of best practices
- Software engineering education
- Policy declaration and enforcement for control plane
- Computer-aided vulnerability patching
- Computer-aided language translation, e.g. C2Rust
- Paper/demo abstract submission deadline: August 5, 2022
July 29, 2022(11:59pm AoE)
- Author notification: on/around September 2, 2022
- Camera ready due: September
3022, 2022 (hard deadline)
- Workshop: November 11, 2022 (co-located with ACM CCS)
Submissions include research papers (5-8 pages), position papers (2-5 pages) and demo abstracts (2-3 pages):
- Research papers include a) Original research on a SW supply chain security topic, b) Systematization of Knowledge (SoK) of SW supply chain security;
- Position papers identify and discuss key challenges and opportunities to address as a research topic.
- Demo abstracts present interesting findings on SW supply chain security in practice, which will be accompanied by a hands-on presentation during the workshop.
For submission, paper page limits do not include appendices and references. Final versions of papers may not exceed a total of 8 or 11 pages for position papers or research papers, respectively. Submitted abstracts can be up to 2 pages including references. Submissions accompanied by non-disclosure agreement forms will not be considered.
Submissions (including abstracts) must be a PDF file in double-column ACM format (see https://www.acm.org/publications/proceedings-template, with a simpler version at https://github.com/acmccs/format). Note that reviewers are not required to read the appendices or any supplementary material. Authors should not change the font or the margins of the ACM format.
Submissions not following the required format may be rejected without review.
Accepted papers and abstracts will be published by the ACM Press and/or the ACM Digital Library. A shepherd may be assigned to ensure the quality of the proceedings version of the submission. Each accepted submission must be presented at SCORED by a registered author.
Policy for Simultaneous Submissions
Authors of submitted research papers to SCORED are welcome to additionally submit a demo abstract for presentation at the same SCORED workshop. Demo abstracts that are overly focused on the advertisement of a product or service, rather than interesting findings and insights gained from the use of a product or operation of a service, are heavily discouraged.
Submissions must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. Submissions not meeting these guidelines risk immediate rejection.
The review process will be double-blind. Papers and abstracts must be submitted in a form suitable for anonymous review: (1) The title page should not contain any author names or affiliations. (2) When referring to your previous work, do so in the third person, as though it were written by someone else. Only blind the reference itself in the (unusual) case that a third-person reference is infeasible. (3) Authors may include links to websites that contain source code, tools, or other supplemental material. Neither the link in the submission nor the website itself should contain the authors’ names or affiliations.
Papers or abstracts that are not properly anonymized may be rejected without review.
While submitted papers must be anonymous, authors may choose to give talks about their work, post a preprint of the paper online, disclose security vulnerabilities to vendors or the public, etc. during the review process.
Conflicts of Interest
The program co-chairs require cooperation from both authors and program committee members to prevent submissions from being evaluated by reviewers who have a conflict of interest. During the submission process, we will ask authors to identify members of the program committee with whom they share a conflict of interest. This includes: (1) anyone who shares an institutional affiliation with an author at the time of submission, (2) anyone who was the advisor or advisee of an author at any time in the past, (3) anyone the author has collaborated or published within the prior two years, (4) anyone who is serving as the sponsor or administrator of a grant that funds your research, or (5) close personal friendships. For other forms of conflict, authors must contact the chairs and explain the perceived conflict.
Responsible Vulnerability Disclosure
If the submission describes, or otherwise takes advantage of, newly identified vulnerabilities or attacks (e.g., software vulnerabilities in a given program or design weaknesses in a hardware system), the authors should disclose these vulnerabilities to the vendors/maintainers of affected software or hardware systems prior to the CFP deadline. When disclosure is necessary, authors are expected to include a statement within their submission and/or final paper about steps taken to fulfill the goal of responsible disclosure.
Human Subjects and Ethical Considerations
Submissions that describe experiments on human subjects, that analyze data derived from human subjects (even anonymized data), or that otherwise may put humans at risk should:
- Disclose whether the research received an approval or waiver from each of the authors’ institutional ethics review boards (e.g., an IRB).
- Discuss steps taken to ensure that participants and others who might have been affected by an experiment were treated ethically and with respect.
If a paper raises significant ethical or legal concerns, including in its handling of personally identifiable information (PII) or other kinds of sensitive data, it might be rejected based on these concerns.
Submit your paper or demo abstract here: https://scored2022.hotcrp.com/