In a surprising turn of events, a British expert in cybersecurity has successfully obtained a highly sought-after permanent residency visa in Australia—after demonstrating his hacking skills on government systems while waiting for his visa application to be processed.
Jacob Riggs, who serves as the global director of information security for a prominent software-as-a-service company, was granted the 858 National Innovation visa in December, following a rigorous seven-month application process. His unique approach involved probing the networks of the Department of Foreign Affairs and Trade (DFAT) to showcase his expertise in real-time, during which he uncovered a significant vulnerability.
Working from his residence in Bexley, southeast London, Riggs identified this exploitable flaw in less than two hours back in July. The 858 visa, previously known as the Global Talent visa, is notoriously selective, boasting an approval rate of under 1%. Migration consultancy VisaEnvoy reports that since the program's inception, over 9,000 expressions of interest have been recorded, yet only 304 applicants have received invitations, with approximately 85 ultimately granted residency.
"I treated it like a standard security assessment and applied the same methods I use in my professional work," Riggs, aged 36, explained. He stated that the vulnerability he discovered was classified as critically severe according to the Common Vulnerability Scoring System (CVSS), a widely accepted framework for rating vulnerabilities.
DFAT maintains a formal Vulnerability Disclosure Policy, allowing security researchers to test its systems within specific parameters. After discovering the issue, Riggs promptly reported it to DFAT and was later recognized on the department’s disclosure program honor roll.
"DFAT responded swiftly and took corrective action," Riggs noted, opting not to disclose further evidence beyond what he shared in a public blog post, stating, "I believe sharing more might breach the confidentiality agreement I have with DFAT."
To qualify for the 858 visa, applicants must showcase internationally acknowledged achievements in priority fields, including cybersecurity. This program typically attracts individuals with exceptional credentials, such as Nobel laureates and Olympic medal winners. However, showcasing merit in cybersecurity is particularly challenging. "There isn’t an equivalent to an Olympic Gold Medal in this field," Riggs articulated on his blog. "There is no single standard of excellence to rely on, so it all hinges on tangible accomplishments."
Riggs’ application included around 60 pages of documentation, encompassing bug bounty awards, recognition letters from universities and governments across the globe, as well as records of vulnerability disclosures to major tech firms. Despite having only a limited formal education, he emphasized the significance of professional certifications and acknowledgment letters for his responsible disclosure efforts, materials he found to be “unexpectedly perfect” for meeting the assessment criteria.
He humorously remarked about reaching the maximum attachment limit for his application documentation.
While his application was still under review, Riggs made the strategic choice to provide up-to-date evidence of his abilities. "Given the high standards set by the 858 visa, it became evident during the application process that I should also demonstrate the current value of my skills," he wrote, highlighting that his role involves leadership responsibilities that extend beyond purely technical tasks.
He acknowledged that the infrastructure of the Australian government is generally well-protected, which only increased his curiosity about assessing its systems.
This gamble seems to have paid off for Riggs; he navigated the entire application process without the assistance of migration agents or immigration lawyers, a decision he referred to as "very much in line with my usual approach."
His case underscores the difficulties in evaluating elite cyber talent and highlights the potential of Australia's innovation visa program to attract individuals whose contributions may not be easily quantified through traditional metrics.
By May 2025, nearly 6,000 individuals had expressed interest in the revamped 858 program, but only seven had successfully secured visas at that time. Among them were two scientists of Iraqi origin, Dr. Bilal Bahaa Zaidan Al-Jubouri and Dr. Aos Alaa Zaidan, who gained visas due to their expertise in artificial intelligence applications within healthcare and agriculture.
Cybersecurity researcher Jamieson O’Reilly pointed out that Australia faces a significant shortage of cyber skills, exacerbated by structural barriers that keep local talent from being utilized effectively. "There are many highly skilled security professionals in this nation who cannot access government positions because they aren’t affiliated with large consulting agencies or don’t fit the procurement criteria. We discuss skill shortages while simultaneously excluding capable individuals," he expressed.
O’Reilly emphasized that pathways like the 858 visa could play a crucial role in addressing these genuine gaps, but he believes the focus should be on removing obstacles for local talent. He added that Riggs' case reveals deeper systemic issues within the Australian government’s security procurement practices. "This vulnerability managed to evade annual Information Security Registered Assessors Program (IRAP) evaluations, two outsourced penetration tests, and internal examinations before being identified by someone external to the system. That’s a detail that deserves attention."
Looking ahead, Riggs intends to relocate to Sydney within a year to continue his work in cybersecurity. "Moving your entire life to another country entails a lot to consider," he said thoughtfully. "Plus, I have a cat who still needs some convincing about the move."
As of the deadline for this article, neither the Department of Foreign Affairs and Trade nor the Department of Home Affairs had responded to requests for comments.
