(Please help nominate PC members)
The 33rd ACM Conference on Computer and Communications Security (CCS) seeks submissions presenting novel contributions related to all real-world aspects of computer security and privacy. Theoretical papers must make a convincing case for the relevance of their results to practice. Authors are encouraged to write the abstract and introduction of their paper in a way that makes the results accessible and compelling to a general computer-security researcher. In particular, authors should bear in mind that anyone on the program committee may be asked to review any paper.
CCS has two review cycles in 2026. For each submission, one of the following decisions will be made:
- Accept: Papers in this category will be accepted for publication in the proceedings and presentation at the conference, possibly after making minor changes with the oversight of a shepherd.
- Minor revision: Papers in this category are considered to be promising but need some minor additional work (e.g., minor experiments, proofs to minor lemmas). Authors will be given the opportunity to resubmit such papers, with appropriate revisions, in which case they should clearly explain in a separate note how the revisions address the comments of the reviewers. The revised paper will then be re-evaluated, and either accepted or rejected.
- Reject: Papers in this category are declined for inclusion in the conference. Papers rejected from the first review cycle may not be submitted again (even in revised form) to the second review cycle. Authors of each accepted paper must ensure that at least one author registers for the conference, and that their paper is presented in-person at the conference if at all possible.
All submissions must be received by 11:59 PM AoE (UTC-12) on the day of the corresponding deadline. Submitted papers must not substantially overlap with papers that have been published or accepted for publication, or that are simultaneously in submission to a journal, conference, or workshop with published proceedings. All submissions should be properly anonymized. Papers should avoid revealing authors' identity in the text. When referring to their previous work, authors are required to cite their papers in the third person, without identifying themselves. In the unusual case in which a third-person reference is infeasible, authors can blind the reference itself. Papers not properly anonymized may be rejected without review. Authors may submit up to a maximum of 5 papers at each cycle.
All submitted papers will be evaluated based on their merits, particularly their importance to practical aspects of computer and communications security and privacy, novelty, quality of execution, and presentation. Note that CCS does not accept SoK or survey papers. For papers that might raise ethical concerns, authors are expected to convince reviewers that proper procedures (such as IRB approval or responsible disclosure) have been followed, and due diligence has been made to minimize potential harm.
Submitted papers may be rejected for being out of scope, at the discretion of the PC chairs. Authors who have questions about whether their paper is in scope are encouraged to ask the PC chairs in advance. No modifications to the author list on a paper may be made after submission.
A paper can be withdrawn at any point before the reviews have been sent to the authors. Once the reviews have been sent to the authors the paper cannot be withdrawn.
Submissions must be a PDF file in double-column ACM format using "sigconf" 2-column format, no more than 12 pages long, excluding the bibliography, well-marked appendices, and supplementary material. Note that reviewers are not required to read the appendices or any supplementary material. Authors should not change the font or the margins of the ACM format. The CCS information, such as concepts, keywords, or rights management information (e.g., DOI and ISBN), must be retained. The teaser figure is optional. Please refer to the sample-sigconf.tex and sample-sigconf.pdf in the ACM package (also mirrored here) as an example. Submissions not following the required format may be rejected without review.
Submissions whose claimed contributions rely on artifacts (e.g., code, models, data sets) are expected to make these accessible to the reviewers, e.g., through a link to an anonymous resource, unless there are good reasons not to, in which case these reasons must be mentioned in the submission. Submissions whose claimed contributions do not rely on artifacts do not need to submit artifacts. An anonymous link to a resource on the web is acceptable, provided the contents in the resource are also anonymized.
A published scientific paper consists of a constellation of artifacts that extend beyond the document itself: software, hardware, evaluation data and documentation, raw survey results, mechanized proofs, models, test suites, benchmarks, and so on. To emphasize the importance of such artifacts, the benefits to the authors and the community as a whole, and promote the reproducibility of experimental results, ACM CCS will, for the third time, introduce an optional artifact evaluation (AE) process, inspired by similar efforts at several other conferences. All authors of accepted papers (including shepherd approved and minor revisions) are encouraged to submit artifacts for AE. Each artifact submitted will be reviewed by the Artifact Evaluation Committee (AEC); a special call for artifacts will follow.
Like last year, the ACM CCS Conference features a multi-track format. Each track operates as a separate mini-conference, with its own Track Chairs and Track Program Committee. The overall process is managed by the Program Chairs (Véronique Cortier and Zhiqiang Lin). At the time of submission, authors must select one track, which should be the most relevant to the topic of the paper. We understand that some papers might span multiple topics. In specific cases, PC members might be asked to provide reviews for papers outside their track, in an effort to provide the best possible reviews to the authors. The chairs may decide to move a paper to another track.
This is the list of tracks and their Track Chairs:
Program Co-Chairs ✉ccs26-pc-chairs@acm.org
- Véronique Cortier (CNRS, Loria)
- Zhiqiang Lin (The Ohio State University, USA)
- Software Security ✉ccs26-software-track@acm.org
- Zhiyun Qian (University of California, Riverside, USA)
- Vasileios P. Kemerlis (Brown University, USA)
- Web Security ✉ccs26-web-track@acm.org
- Limin Jia (CMU, USA)
- Network Security ✉ccs26-netsec-track@acm.org
- Christian Rossow (CISPA, Germany)
- Security Usability and Measurement ✉ccs26-usablesec-track@acm.org
- Mainack Mondal (IIT Kharagpur, India)
- Michelle Mazurek (University of Maryland, USA)
- Machine Learning and Security ✉ccs26-mlsec-track@acm.org
- Shiqing Ma (UMass Amherst)
- Lea Schönherr (CISPA, Germany)
- Fabio Pierazzi (University College London, UK)
- Formal Methods and Programming Languages ✉ccs26-formal-track@acm.org
- Toby Murray (University of Melbourne, Australia)
- Hardware, Side Channels, and Cyber Physical Systems ✉ccs26-hardware-track@acm.org
- Christopher Fletcher (University of California, Berkeley, USA)
- Alvaro Cardenas (University of California, Santa Cruz, USA)
- Applied Cryptography ✉ccs26-crypto-track@acm.org
- Dominique Schroeder (TU Wien, Austria)
- Foteini Baldimtsi (George Mason University, USA)
- Blockchain and Distributed Systems ✉ccs26-distributed-track@acm.org
- Kartik Nayak (Duke University, USA)
- Privacy and Anonymity ✉ccs26-privacy-track@acm.org
- Thorsten Strufe (Karlsruhe Institute of Technology, Germany)
Each submission must include a brief statement (e.g., 200 words) in the appropriate section of HotCRP addressing:
- Track selection justification: Why is your selected track the best match for your work?
- Practical security relevance: What real-world systems, threat models, and actionable insights does your work address? With this measure, we want to ensure that submissions are clearly aligned with the intended CCS track and demonstrate concrete security relevance. For work spanning multiple tracks, simply choose the best fit and briefly explain your reasoning, and mention any fitting alternative tracks in your statement.
CCS distinguishes itself as a venue focused on practical security impact for real systems. Papers without a clear justification may be desk-rejected or reassigned to a more suitable track.
Machine learning has become pervasive across security and privacy research. To ensure papers are directed to the most appropriate tracks and to clarify what constitutes a good fit for CCS, we provide the following guidelines.
ML for Security/Privacy Problems: If ML is used to solve a security or privacy issue, submit the paper in the track that better aligns with the primary field of the problem being addressed, not "Machine Learning and Security."
Examples:
- Robust and Reliable Early-Stage Website Fingerprinting Attacks via Spatial-Temporal Distribution Analysis - uses ML for website fingerprinting, fits the "Privacy and Anonymity" track
- Rules Refine the Riddle: Global Explanation for Deep Learning-Based Anomaly Detection in Security Applications covers a couple of "ML for security" domains, which can be motivated as a fit for the "Network Security" track
- Exposing Privacy Risks in Anonymizing Clinical Data: Combinatorial Refinement Attacks on k-Anonymity Without Auxiliary Information focuses on k-anonymity (Privacy and Anonymity Track)
- Analyzing PDFs like Binaries: Adversarially Robust PDF Malware Analysis via Intermediate Representation and Language Model is primarily focused on the definition of a more robust malware detection system (Software Security Track)
- Securely Training Decision Trees Efficiently, which is primarily focused on privacy-preserving ML with a heavy cryptographic component (Applied Cryptography)
Security/Privacy of Machine Learning: If your work directly addresses the security or privacy of ML itself, the Machine Learning and Security track may be appropriate, provided the contribution has practical relevance to realistic ML systems. This must also be stated in the Track Justification Statement, clarifying the authors' decision not to submit to a domain-specific track (e.g., Web Security, Software Security).
Relevant work investigates novel attacks (e.g., data poisoning, backdoors, adversarial examples, prompt injection, model inversion, membership inference) or defenses (e.g., attack detection, secure training methods, post-attack forensics) throughout the ML lifecycle under plausible threat models that could occur in practice, not based on unrealistic assumptions or unlikely scenarios.
All papers submitted to this track must provide a threat model that clearly articulates the (i) envisioned attacker(s), (ii) threat surfaces (e.g., system components including but not limited to the underlying machine learning algorithm), (iii) generality (e.g., demonstrating that the attack is not limited to a specific model but generalizes across model architectures or families.), and (iv) practicality of the attack. If the authors believe they still fit the "Machine Learning and Security" track without the need for a threat model, they need to explicitly justify this in the Track Justification Statement.
The paper evaluation needs to be linked to the threat model and scenario motivating the paper. Strong submissions produce generalizable contributions such as frameworks for risk assessment, attack patterns that generalize across models, systematic problem characterizations, or principled defenses with clear justification. Papers that present collections of examples or trial-and-error probes, or approaches lacking methodical rigor, will be considered out of scope.
Purely theoretical ML works without actionable security insights are out of scope, as are papers focusing on generic ML properties (e.g., robustness to natural noise) that lack clear security implications.
Examples of suitable papers:
- "Beowulf: Mitigating Model Extraction Attacks Via Reshaping Decision Regions" - addresses model extraction attacks with practical defense, fits the "Machine Learning and Security" Track
- "Membership Inference Attacks Against In-Context Learning" - focuses on the privacy of LLMs, fits the "Machine Learning and Security" Track
- "Membership Inference Attacks as Privacy Tools: Reliability, Disparity and Ensemble" focuses primarily on analyzing evaluations of membership inference attacks, and fits the "Machine Learning and Security" track.
- "Watch Out! Simple Horizontal Class Backdoor Can Trivially Evade Defense" focuses on the security of MLs, proposing a new type of backdoor with a realistic threat model, which fits the "Machine Learning and Security" track
The conference requires cooperation from both authors and program committee members to ensure a fair review process. For this purpose, authors must report all program-committee members who, in their opinion, have a conflict of interest and therefore may not be able to provide an unbiased review. Mandatory declared conflicts of interest include current or former doctoral advisor/advisee, members of the same institution, close family members, and recent co-authors (within the past 2 years). For any other declared conflict, authors are required to explain the nature of the conflict Program Chairs and the Track Chairs. The chairs reserve the right to request further explanation and can remove non-mandatory conflicts at their discretion.
Track Chairs are not allowed to submit papers in their own track but they may submit any number of papers in other tracks, subject to a maximum of 5 papers per cycle.
Program-committee members who have a genuine conflict of interest with a paper, including the Program Chairs and the Track Chairs, will be excluded from evaluation and discussion of that paper. When a Track Program Chair has a conflict, the paper will be handled by the Program Chairs. When a Program Chair is conflicted, the other Co-Chair will be responsible for managing that paper. When both Program Chairs are in conflict, a committee member will be appointed to handle the paper. Program Chairs are not allowed to be authors or co-authors of any submissions.
All SIGSAC sponsored conferences and workshops are required to follow ACM policies against harassment activities (https://www.acm.org/about-acm/policy-against-harassment) and ACM Code of Ethics and Professional Conduct (https://www.acm.org/code-of-ethics). Also all authors, PC members and non-PC reviewers are required to follow ACM Publications Policies (https://www.acm.org/publications/policies/toc). Particularly, we require all reviewers to uphold the integrity of the peer review process and avoid conflict of interest of any form (e.g., reviewer collusion ring). Those who violate these policies will be penalized according to ACM policies (https://www.acm.org/publications/policies/penalties-for-publication-violations). If you would like to report a violation, please contact program chairs of your conferences/workshops or SIGSAC officers. We are committed to protecting the confidentiality of your communication.
Abstract submission deadline
Jan 7, 2026 (Mandatory, all papers must have an abstract submitted by this date)
Full Paper submission deadline
Jan 14, 2026
Notification of early-rejection papers
Feb 18, 2026
Author rebuttal period
Mar 16—19, 2026
Rebuttal deadline
Mar 19, 2026
Author notification
Apr 9, 2026
Abstract submission deadline
April 22, 2026 (Mandatory, all papers must have an abstract submitted by this date)
Full Paper submission deadline
April 29, 2026
Notification of early-rejection papers
June 1, 2026
Author rebuttal period
June 23—26, 2026
Rebuttal deadline
June 26, 2026
Author notification
July 17, 2026
TBD
Please Note: The official publication date is the first day of the conference. The official publication date affects the deadline for any patent filings related to published work.
ACM CCS is committed to promoting diversity and inclusion in our community. If you have suggestions, concerns, or complaints related to biases or sexual harassment, we encourage you to reach out to the Program Chairs. We are committed to protecting the anonymity of such reports and helping to address your concerns. We value your feedback and ideas to help us all build a healthier and more welcoming community.
We encourage the authors to be mindful of not using language or examples that further the marginalization, stereotyping, or erasure of any group of people, especially historically under-represented groups (URGs) in computing. Of course, exclusionary treatment can arise unintentionally. Be vigilant and actively guard against such issues in your writing. Reviewers will also be empowered to monitor and demand changes if such issues arise in your submissions. Please check the link for more information.
By submitting your article to an ACM Publication, you are hereby acknowledging that you and your co-authors are subject to all ACM Publications Policies, including ACM's new Publications Policy on Research Involving Human Participants and Subjects. Alleged violations of this policy or any ACM Publications Policy will be investigated by ACM and may result in a full retraction of your paper, in addition to other potential penalties, as per ACM Publications Policy.
Please ensure that you and your co-authors obtain an ORCID ID, so you can complete the publishing process for your accepted paper. ACM has been involved in ORCID from the start and we have recently made a commitment to collect ORCID IDs from all of our published authors. We are committed to improve author discoverability, ensure proper attribution and contribute to ongoing community efforts around name normalization; your ORCID ID will help in these efforts.
Starting January 1, 2026, ACM will fully transition to Open Access. All ACM publications, including those from ACM-sponsored conferences, will be 100% Open Access. Authors will have two primary options for publishing Open Access articles with ACM: the ACM Open institutional model or by paying Article Processing Charges (APCs). With over 1,800 institutions already part of ACM Open, the majority of ACM-sponsored conference papers will not require APCs from authors or conferences (currently, around 70-75%).
Authors from institutions not participating in ACM Open will need to pay an APC to publish their papers, unless they qualify for a financial or discretionary waiver. To find out whether an APC applies to your article, please consult the list of participating institutions in ACM Open and review the APC Waivers and Discounts Policy. Keep in mind that waivers are rare and are granted based on specific criteria set by ACM.
Understanding that this change could present financial challenges, ACM has approved a temporary subsidy for 2026 to ease the transition and allow more time for institutions to join ACM Open. The subsidy will offer:
- $250 APC for ACM/SIG members
- $350 for non-members
This represents a 65% discount, funded directly by ACM. Authors are encouraged to help advocate for their institutions to join ACM Open during this transition period.
This temporary subsidized pricing will apply to all conferences scheduled for 2026.