The 47th IEEE Symposium on Security and Privacy convenes May 18–21, 2026 at the Hilton San Francisco Union Square, and for the researchers whose papers made it onto the program, getting there meant clearing one of the steepest bars in computer science. Acceptance rates at the conference — known across the field simply as Oakland, after the Bay Area hotel where it was founded in 1980 — have sat in the single digits to low teens for years. A 2023 internal review found that under the conference’s old decision model, the raw first-round acceptance rate was averaging about 6.5%, a number the program chairs publicly called “unacceptable” and overhauled the process to address.
This is the venue where Spectre was first presented in full academic form. Where CHERI, the hybrid capability architecture now shipping in Arm’s Morello research silicon, earned its foundational citations. Where differential privacy, TLS attacks, and nearly every generation of microarchitectural side-channel work has been stress-tested by peer review before reaching production defenders. If you work in security and want to know what’s going to matter in three years, the Oakland program is where you look.
Why Oakland Still Sets the Agenda
The conference was founded in 1980 by Stan Ames and George Davida as a small workshop at the Claremont Resort, and the early years exposed a fault line that persists in muted form today: cryptographers and systems security researchers often sat in different rooms, sometimes literally walking out of each other’s sessions. Later organizers deliberately mixed the panels to force the conversation, and the resulting breadth — theory meets implementation, formal methods meets kernel exploitation — is part of what gives S&P its character.
Two structural choices keep Oakland distinctive. First, it runs as a single-track conference, meaning every attendee sees every talk. That constrains the program to roughly 150–250 papers per year across three days of sessions, which in turn forces reviewers to be brutally selective. Other top-tier venues — USENIX Security, ACM CCS, NDSS — run multiple parallel tracks and accept considerably more papers. Second, S&P uses double-blind review with a quarterly submission model, and as of 2024 every accepted paper ships with a public meta-review of up to 500 words summarizing the program committee’s reasons for acceptance and any remaining concerns. Authors can publish a response alongside it.
The meta-review innovation is a direct response to a chronic problem in top-tier academic security: reviewers were using “major revision” demands to extract changes that weren’t strictly necessary, pushing acceptance rates down and author workload up. Making reviewer concerns public, while giving authors the chance to respond in print, was the program chairs’ attempt to reduce the incentive for reviewers to escalate minor objections into blockers. It’s a small procedural change that substantially affects which papers make it out of the review pipeline.
The Papers That Defined the Field
Oakland’s archive reads like a timeline of modern security itself. Spectre: Exploiting Speculative Execution by Paul Kocher and collaborators, presented at S&P 2019, fundamentally changed how the industry thinks about CPU microarchitecture. The vulnerability is documented under CVE-2017-5753 and CVE-2017-5715, and seven years later the speculation-safety story is still being written — at S&P 2025, Sander Wiebing and Cristiano Giuffrida of Vrije Universiteit Amsterdam presented Training Solo: On the Limitations of Domain Isolation Against Spectre-v2 Attacks, and Andrea Di Dio and colleagues from the same group presented Half Spectre, Full Exploit, combining Rowhammer and Spectre gadgets in new ways. The initial disclosure is a mature CVE; the research agenda it opened is not close to closed.
CHERI — the hybrid capability system architecture developed by Robert N. M. Watson, Peter G. Neumann, Simon W. Moore, and a large Cambridge/SRI team — accumulated its influence through years of Oakland papers before Arm committed to producing Morello research silicon and the UK’s Digital Security by Design program began funding commercial adoption. The original MEGA: Malleable Encryption Goes Awry paper by Matilda Backendal, Miro Haller, and Kenneth Paterson of ETH Zurich exposed real cryptographic vulnerabilities in a deployed end-to-end encrypted storage service and forced a protocol redesign. The Matrix protocol cryptography paper by Martin Albrecht and collaborators did similar work for the decentralized messaging standard.
Two Distinguished Paper Awards from S&P 2023 illustrate the range. Typing High-Speed Cryptography against Spectre v1 by Basavesh Ammanaghatta Shivakumar, Gilles Barthe, and the MPI-SP team produced a type system that proves crypto code is Spectre-safe at near-zero runtime cost. In the same year, a joint team published Red Team vs. Blue Team, a hardware Trojan detection study across four CMOS technology generations — a paper that could only exist because the authors had physical access to silicon prototypes and the patience to run a real adversarial exercise.
The Process That Produces These Papers
Paper acceptance at S&P is not a linear pipeline. Since 2021 the conference has operated a quarterly submission model — authors can submit in any of several cycles per year, and a paper that falls short the first time can be invited to revise and resubmit in the next cycle. Rejected papers face a one-year waiting period before they can resubmit with substantially similar content.
Reviewers evaluate papers on novelty, technical soundness, ethical conduct, and relevance to deployed systems. The ethics bar rose sharply after a 2021 incident where researchers from the University of Minnesota submitted a paper titled On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits, in which they attempted to introduce bugs into the Linux kernel as a research exercise without Institutional Review Board approval. The paper was accepted, the Linux kernel community reacted forcefully, and the authors withdrew the paper. In response, IEEE S&P committed to adding an explicit ethics review step and improving its documentation around ethics declarations. Authors are now expected to document how they addressed and mitigated potential harms from carrying out their research — including impact on deployed systems, data collection practices, and negative consequences of publication.
The conference’s acceptance rate over the last five years has averaged roughly 11.5%, with cycle-level numbers that sometimes dip into the single digits. For S&P 2021, after three cycles the conference accepted 77 papers out of 643 submissions — an acceptance rate of 12.0%. The 2024 process reform, which replaced “conditional accept” and “major revision” with a simpler Accept/Reject decision plus a public meta-review, was explicitly designed to move that number back toward a more sustainable range without dropping quality.
What the 2026 Program Tells Us
The accepted papers list for S&P 2026 is a reasonable proxy for where serious security research is heading. A few clusters stand out.
LLM and AI security has moved from novelty track to core program. Papers accepted this year include When AI Meets the Web: Prompt Injection Risks in Third-Party AI Chatbot Plugins by the UC Santa Barbara group led by Giovanni Vigna and Christopher Kruegel, and work from Cornell Tech’s Vitaly Shmatikov on attacks against deployed models. The conference is treating LLM-integrated applications as infrastructure, not novelty — which matches how defenders now see the attack surface.
Hardware and microarchitectural security continues to produce results. GDDR: Greatly Disturbing DRAM Rows — Cross-Component Rowhammer Attacks from Modern GPUs from researchers at UNC Chapel Hill and Georgia Tech (including Daniel Genkin, a prolific side-channel researcher) extends Rowhammer into GPU-mediated paths. The long tail of speculative-execution research remains very much alive.
Applied cryptography and deployed-system audits show up in work like Auditing Apple’s DifferentialPrivacy.framework: Implementation Bugs, Misconfigurations, and Practical Risks — a paper that takes a shipping privacy-preserving system from a major vendor and grades its actual implementation. This genre of paper is increasingly where academic research meets production reality; Unveiling Security Vulnerabilities in Git Large File Storage Protocol from S&P 2025 played a similar role for a core developer-tools protocol.
Usable security and vulnerable-population research is also growing. International Students and Scams: At Risk Abroad, accepted for 2026, focuses on how international students in the United States are uniquely exposed to online scams because of procedural unfamiliarity and compulsory exposure to unknown counterparties during housing, tuition, and employment processes. It’s the kind of paper that wouldn’t have appeared at Oakland fifteen years ago — the conference’s scope has expanded deliberately to cover human factors alongside systems and crypto.
Privacy-focused measurement remains strong. Papers, Please: A First Look at Age Verification on the Web from Georgia Tech (Paul Pearce, Michael A. Specter, and collaborators) takes on the newly deployed age-verification regimes appearing across the US and EU — a system the research community is only beginning to assess empirically.
Where Oakland Fits Among the Big Four
Academic security has four venues that matter most for career-defining research: IEEE S&P (Oakland), USENIX Security Symposium, ACM Conference on Computer and Communications Security (CCS), and Network and Distributed System Security Symposium (NDSS). A paper at any of these is a substantial credential; papers at all four over a career define a senior researcher.
The venues differ in character. USENIX Security has historically been more systems-oriented and prints longer papers. CCS is larger and more catholic in topic scope. NDSS is the most networking-flavored. S&P’s reputation is for the most rigorous — and least forgiving — review standards, reinforced by the single-track format that limits accepted-paper count. That reputation is partly deserved and partly self-fulfilling: because reviewers know acceptance is scarce, they hold papers to a higher bar; because the bar is high, submission quality stays elevated.
The European sibling conferences — IEEE EuroS&P (debuted 2016, next edition July 6–10, 2026 in Lisbon) and IEEE Computer Security Foundations Symposium (CSF) — give researchers additional top-tier outlets closer to European institutions, and they share significant overlap in the community.
Why Practitioners Should Read the Proceedings
There is a persistent gap between academic security research and practitioner awareness. Red teams, SOC analysts, incident responders, and product security engineers rarely read Oakland proceedings directly, and that’s a missed opportunity. Three years before Spectre mitigations became a Windows patch requirement, the speculative-execution attack surface was being mapped in these proceedings. Two years before Rowhammer became an industry concern, it was being measured in academic labs. The pattern is consistent: the attacks that dominate future threat briefings are being disclosed and characterized at S&P and its peer venues well before they appear in CISA advisories.
The counter-argument — that academic papers are too theoretical for operational use — is decreasingly true. Recent Oakland papers include tool releases, fuzzing frameworks, vulnerability disclosures against deployed systems with attached CVE numbers, and empirical studies of production security behavior. Characterizing Robocalls with Multiple Vantage Points (S&P 2025) is a measurement study usable directly by telecom fraud teams. Clubcards for the WebPKI: smaller certificate revocation tests addresses a real deployment constraint Mozilla has been working through. The research is increasingly designed to ship.
All accepted papers are published open access in the IEEE Computer Society Digital Library, citable immediately after acceptance as “To appear in the IEEE Symposium on Security & Privacy, May 2026.” There is no paywall between practitioners and the work.
Frequently Asked Questions
How is S&P different from EuroS&P? EuroS&P, which debuted in 2016, runs a similar scope and standards but is hosted in Europe and has a somewhat smaller program. The 2026 edition runs July 6–10 in Lisbon. Papers not accepted at S&P sometimes find their way to EuroS&P after revision, though the two venues coordinate against simultaneous submission.
What’s the deal with meta-reviews? As of 2024, every accepted S&P paper includes a public meta-review of up to 500 words written by the paper’s shepherd, summarizing why the program committee accepted it and what concerns remain. Authors can publish a response. The goal is to reduce the pressure on reviewers to demand “nice-to-have” changes through major-revision verdicts, and to give readers a transparent view of the review debate.
How do you attend if you aren’t presenting? Registration is open to all. The conference has run in a hybrid format in some recent years; the 2026 program at Hilton San Francisco Union Square is in-person, with workshops on May 21. Student travel grants are available for accepted authors and qualifying attendees. Check the official conference site — sp2026.ieee-security.org — for registration and workshop details.
Is the research in these papers reproducible? Increasingly yes. Oakland has pushed artifact evaluation as a separate process, and many recent papers ship with public code repositories, datasets, and reproducibility statements. This isn’t universal — some papers describe attacks against proprietary systems where full artifacts aren’t releasable — but the trend is toward open artifacts.
The Bottom Line
Academic security research has a branding problem. Practitioners see “IEEE Symposium” and think of remote theoretical work at universities with no relevance to next Tuesday’s alert triage. This is almost exactly backwards. The attacks your detection engineers will be writing rules for in 2028 are being formalized at Oakland now. The defense primitives your vendors will be shipping in 2030 are being prototyped in papers the program committee is debating this spring. The gap between the proceedings and production isn’t a chasm — it’s a three-to-five-year pipeline, and the organizations that read ahead get a real advantage.
The 47th Symposium opens in San Francisco in three weeks. The full accepted-papers list is public. Even if you never attend, reading through it is free, and the yield — measured in early warning about what’s coming — is disproportionate to the time.
