Cyber expert gets rare Australian visa by hacking the government
A British cybersecurity expert has been granted permanent resident status in Australia after hacking into government systems while his visa application was being processed.
Jacob Riggs received the 858 National Innovation visa in December, following a seven-month application process that culminated in the Department of State and Commerce probing their network to reveal his credentials in real time and identifying a critical security vulnerability.
Riggs, global information security director for a major software-as-a-service provider, said he detected the exploitable flaw in less than two hours in July while working from his home in Bexley, south-east London.
The Riggs visa, formerly known as the Global Talent visa, has an approval rate of less than 1 percent. According to immigration consultancy VisaEnvoy, more than 9,000 expressions of interest have been submitted since the program’s inception; Only 304 applicants were invited and approximately 85 were granted residence permits.
“I approached this as a routine security assessment and applied the same methodology I use professionally,” Riggs, 36, told this imprint. It said the vulnerability it identified met the critical severity threshold under CVSS standards, the industry rating framework.
DFAT operates a formal Vulnerability Disclosure Policy that allows security researchers to test its systems within a defined scope. Riggs reported the issue to DFAT and was subsequently included in the department’s disclosure program honor roll.
“DFAT responded very quickly and rectified the situation,” Riggs said, declining to share additional evidence beyond the public blog post. “I think this would be contrary to the spirit of confidentiality between me and DFAT.”
The 858 visa requires applicants to demonstrate internationally recognized achievement in priority sectors, including cybersecurity. The program often attracts Nobel laureates and Olympic medalists—professionals with unique, verifiable credentials.
Cybersecurity presents a distinct challenge. “There is no award equivalent to the Olympic Gold Medal,” Riggs wrote on his blog. “There is no single attribute of excellence that you can rely on, so it all depends on what you actually do.”
His application provided nearly 60 pages of evidence covering bug bounty payments, official letters of recognition from universities and governments around the world, and documentation of vulnerability disclosures to major tech companies.
Riggs, who barely finished middle school, said he lacked traditional academic credentials. Instead, he submitted letters acknowledging professional accreditations and responsible disclosure work, material he described as “unexpectedly excellent” for the assessment criteria.
“I’ve finally reached my commitment limit,” he wrote.
With his application still under review, Riggs decided to provide updated evidence of his skills.
“Given the 858 bar, it became clear that I needed to strive to demonstrate the current value of my skills during the application process,” he wrote, noting that his role included leadership responsibilities beyond hands-on technical work.
He acknowledged that the Australian government’s infrastructure was generally well consolidated and that this “only piqued my interest further”.
The gamble seems to have paid off. Riggs completed the entire process without contacting immigration agents or immigration lawyers, calling the decision “very on-brand.”
The case highlights both the challenges of assessing elite cyber talent and the potential of Australia’s innovation visa program to attract professionals whose contributions are difficult to measure by traditional metrics.
As of May 2025, approximately 6,000 people have expressed interest in the renewed 858 program, and at this point only seven successful grants have been awarded. Two Iraqi-born scientists, Dr Bilal Bahaa Zaidan Al-Jubouri and Dr Aos Alaa Zaidan, have received visas to specialize in artificial intelligence in healthcare and agricultural applications.
Cyber security researcher Jamieson O’Reilly said Australia’s cyber skills shortage was exacerbated by structural barriers that prevented existing talent from contributing.
“There are highly skilled security practitioners in this country who are unable to approach government jobs because they are not affiliated with a large consultancy or do not fit the procurement mould. So on the one hand we are talking about skills shortages, on the other hand we are keeping talented people out,” he said.
He said pathways such as the 858 visa were valuable in closing real gaps, but the priority should be on removing barriers to local talent. He added that this case points to deeper structural problems in the Australian government’s security procurement.
“This vulnerability survived annual IRAP assessments, two external penetration tests, and internal testing before someone outside the system found it. That’s the detail worth paying attention to.”
Riggs said he plans to move to Sydney within 12 months to continue his cybersecurity work.
“There’s a lot to consider when you move your entire life to another country,” he said. “I have a cat too and he still needs convincing.”
The Ministry of Foreign Affairs and Trade and the Ministry of Internal Affairs did not respond to requests for comment before deadline.
The Business Briefing newsletter delivers big stories, exclusive news and expert insights. Sign up to receive it every weekday morning.
