4 hours ago
1
A British cybersecurity expert has been given coveted Australian permanent residency status after hacking the government’s systems while his visa application was under review.
Jacob Riggs gained the 858 National Innovation visa in December after a seven-month application process that culminated in him probing the Department of Foreign Affairs and Trade’s networks to demonstrate his credentials in real time, and identifying a critical vulnerability.
Jacob Riggs, 36, received the 858 National Innovation visa in December after a seven-month application process that culminated in him probing the Australian government’s attack surface to demonstrate his capabilities in real time.
Riggs, global director of information security for a large software-as-a-service provider, said he identified the exploitable flaw in under two hours while working from his home in Bexley, south-east London, in July.
Riggs’ visa, formerly known as the Global Talent visa, has an approval rate of less than 1 per cent. According to migration consultancy VisaEnvoy, more than 9000 expressions of interest have been submitted since the program commenced, with just 304 applicants invited and about 85 granted residency.
“I approached it as a routine security assessment and simply applied the same methodology I use professionally,” Riggs, 36, told this masthead. He said the vulnerability he identified met the threshold for critical severity under CVSS standards, the industry rating framework.
DFAT operates a formal Vulnerability Disclosure Policy, permitting security researchers to test its systems within a defined scope. Riggs reported the issue to DFAT and was subsequently acknowledged on the department’s disclosure program honour roll.
Jacob Riggs, director of Information security for a large software-as-a-service provider.
“DFAT were very quick to respond and remediate,” Riggs said, declining to share additional evidence beyond his public blog post. “I feel this would go against the spirit of the confidentiality between myself and DFAT.”
The 858 visa requires applicants to demonstrate internationally recognised achievement in priority sectors, including cybersecurity. The program typically attracts Nobel laureates and Olympic medallists – professionals with singular, verifiable credentials.
Cybersecurity presents a distinct challenge. “There’s no trophy equivalent of an Olympic Gold Medal,” Riggs wrote on his blog. “There’s no singular hallmark of excellence you can lean on, so everything comes down to what you’ve actually done.”
Loading
His application supplied about 60 pages of evidence spanning bug bounty payouts, formal recognition letters from universities and governments worldwide, and documentation of vulnerability disclosures to major technology companies.
Riggs, who barely completed secondary school, said he lacked traditional academic credentials. Instead, he submitted professional accreditations and letters acknowledging his responsible disclosure work, materials he described as “unexpectedly perfect” for the assessment criteria.
“I ended up hitting the attachment limit,” he wrote.
With his application still under review, Riggs decided to provide contemporary evidence of his skills.
“Given the bar the 858 sets, it became clear during the application process that I should also make efforts to show the current value in my capabilities,” he wrote, noting his role spans leadership responsibilities beyond hands-on technical work.
He acknowledged Australian government infrastructure was generally well-hardened, which “only piqued my interest more”.
Jamieson O’Reilly, founder and chief executive of cybersecurity firm Dvuln.Credit: Dominic Lorrimer
The gamble appears to have paid off. Riggs completed the entire process without engaging migration agents or immigration lawyers, a decision he described as “very on-brand”.
The case highlights both the challenges of assessing elite cyber talent and the potential for Australia’s innovation visa program to attract professionals whose contributions are difficult to measure through conventional metrics.
Loading
By May 2025, nearly 6000 people had expressed interest in the revamped 858 program, with only seven successful grants at that point. Two Iraqi-born scientists, Dr Bilal Bahaa Zaidan Al-Jubouri and Dr Aos Alaa Zaidan, secured visas for AI expertise in healthcare and agriculture applications.
Cybersecurity researcher Jamieson O’Reilly said Australia’s cyber skills shortage was worsened by structural barriers preventing existing talent from contributing.
“There are highly capable security practitioners in this country who can’t get near government work because they’re not attached to a large consultancy or don’t fit the procurement mould. So we talk about skills shortages while simultaneously locking out skilled people,” he told this masthead.
He said pathways such as the 858 visa were valuable for addressing genuine gaps, but the priority should be removing barriers for local talent. He added this case pointed to deeper structural issues in Australian government security procurement.
“This vulnerability survived annual IRAP assessments, two outsourced penetration tests, and internal testing before someone outside the system found it. That’s the detail worth paying attention to.”
Riggs said he plans to relocate to Sydney within 12 months to continue cybersecurity work.
“There’s a lot to consider when you move your entire life to another country,” he said. “I also have a cat and he still needs convincing.”
The Department of Foreign Affairs and Trade and the Department of Home Affairs did not respond to requests for comment before deadline.
Most Viewed in Technology
Loading
