Call for Papers/Talks

The SCORED workshop invites academia, industry, and governmental entities to submit original research papers or security-in-practice talks concerning the security of software supply chains from both technical and policy perspectives.

Suggested topics include, but are not limited to:

• Attacks on the software supply chain
• Securing source control
• Trustworthy builds
• Reproducible builds
• Secure CI/CD
• Code signing
• Integrity for container images
• Package management security
• Code dependency tracking and patch propagation
• Auditable storage for metadata
• Software updates
• Developer identity management
• Code vulnerability tracking and disclosure as well as vulnerable code-clone detection
• Static analysis
• Hardware-assisted software supply chain integrity
• Software bills of materials (SBOMs)
• Specification of supply chain security policies
• Tools for securing the SW supply chain
• Interfacing the hardware and software supply chains
• Surveys or Systemization of Knowledge (SoK) of the SW supply chain security landscape
• Public policy around SW supply chain security
• SW supply chain security best practices
• Standards
• Domain-specific software supply chains (voting, finance etc)
• Security economics
• Human behavioral and measurement studies, e.g. on the adoption of best practices
• Software engineering education
• Policy declaration and enforcement for control plane
• Computer-aided vulnerability patching
• Computer-aided language translation, e.g. C2Rust

Important Dates

• Submission deadline: July 12, 2023 June 30, 2023
• Author notification: August 21, 2023 August 18, 2023
• Shepherding deadline: September 1, 2023
• Final paper and talk abstracts due: September 8, 2023
• Workshop: November 30, 2023 (hybrid event, co-located with ACM CCS)

Submission Format

Submissions in SCORED ‘23 fall under two tracks: research papers (5-8 pages), and security-in-practice talks (800 words max):

• Research papers: a) Original research on a SW supply chain security topic, b) Systematization of Knowledge (SoK) of SW supply chain security;
• Security-in-practice talks: Focus is on presenting experiences and perspectives from industry, open-source, NGOs, or policymakers/law. Talks may discuss key challenges in risk management or adoption, recommend opportunities to address as a research topic, or project demos.

Submissions accompanied by non-disclosure agreement forms will not be considered. Submissions not following the required format may be rejected without review.

Research Papers

Page limits do not include appendices and references. Final versions of papers may not exceed a total of 10 pages for research papers.

Submissions in the research paper track must be a PDF file in double-column ACM format (see https://www.acm.org/publications/proceedings-template, with a simpler version at https://github.com/acmccs/format). Note that reviewers are not required to read the appendices or any supplementary material. Authors should not change the font or the margins of the ACM format.

Accepted papers will be published by the ACM Press and/or the ACM Digital Library. A shepherd may be assigned to ensure the quality of the proceedings version of the submission. Each accepted submission must be presented at SCORED by a registered author.

Security-in-Practice (SIP) Talks (NEW IN 2023)

Submissions in the SIP talk track propose a 20-min one or two-speaker talk on a specific workshop topic. Submissions must include two parts: (1) an Abstract that provides a detailed and focused summary of the proposed talk (max 300 words), and (2) a “Relevance and Benefits to the Ecosystem” section that describes how the content of your presentation will help better the ecosystem or anything you wish to share with the program committee (max 500 words). These two sections must not exceed 2 pages, including any supplementary materials figures, tables and references.

Final versions of SIP talk abstracts must use the provided template to be included in the proceedings.

Policy for Simultaneous Submissions

Authors of submitted research papers to SCORED are welcome to additionally submit a security-in-practice talk for presentation at the same SCORED workshop. Talk abstracts that are overly focused on the advertisement of a product or service, rather than interesting findings and insights gained from the use of a product or operation of a service in practice, are heavily discouraged.

Submissions must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. Submissions not meeting these guidelines risk immediate rejection.

Anonymous Submission

The review process will be double-blind. Papers and talk abstracts must be submitted in a form suitable for anonymous review: (1) The title page should not contain any author names or affiliations. (2) When referring to your previous work, do so in the third person, as though it were written by someone else. Only blind the reference itself in the (unusual) case that a third-person reference is infeasible. (3) Authors may include links to websites that contain source code, tools, or other supplemental material. Neither the link in the submission nor the website itself should contain the authors’ names or affiliations.

Papers or abstracts that are not properly anonymized may be rejected without review.

While submitted papers must be anonymous, authors may choose to give talks about their work, post a preprint of the paper online, disclose security vulnerabilities to vendors or the public, etc. during the review process.

Conflicts of Interest

The program co-chairs require cooperation from both authors and program committee members to prevent submissions from being evaluated by reviewers who have a conflict of interest. During the submission process, we will ask authors to identify members of the program committee with whom they share a conflict of interest. This includes: (1) anyone who shares an institutional affiliation with an author at the time of submission, (2) anyone who was the advisor or advisee of an author at any time in the past, (3) anyone the author has collaborated or published within the prior two years, (4) anyone who is serving as the sponsor or administrator of a grant that funds your research, or (5) personal friendships. For other forms of conflict, authors must contact the chairs and explain the perceived conflict.

Responsible Vulnerability Disclosure

If the submission describes, or otherwise takes advantage of, newly identified vulnerabilities or attacks (e.g., software vulnerabilities in a given program or design weaknesses in a hardware system), the authors should disclose these vulnerabilities to the vendors/maintainers of affected software or hardware systems prior to the CFP deadline. When disclosure is necessary, authors are expected to include a statement within their submission and/or final paper about steps taken to fulfill the goal of responsible disclosure.

Human Subjects and Ethical Considerations

Submissions that describe experiments on human subjects, that analyze data derived from human subjects (even anonymized data), or that otherwise may put humans at risk should: Disclose whether the research received an approval or waiver from each of the authors’ institutional ethics review boards (e.g., an IRB). Discuss steps taken to ensure that participants and others who might have been affected by an experiment were treated ethically and with respect. If a paper raises significant ethical or legal concerns, including in its handling of personally identifiable information (PII) or other kinds of sensitive data, it might be rejected based on these concerns.

Submission Site

Submit your paper or demo abstract here: https://scored2023.hotcrp.com/