Imagine hacking a government system and getting rewarded with permanent residency! Sounds like something out of a movie, right? That's exactly what happened to a British cybersecurity expert, and it's sparking a huge debate about how Australia attracts and assesses top-tier cyber talent.
Jacob Riggs, a cybersecurity whiz from the UK, landed a highly sought-after Australian 858 National Innovation visa after, get this, hacking the Australian government's systems. Specifically, while his visa application was under review! This wasn't some malicious attack, though. It was a calculated move to demonstrate his skills in real-time. During the seven-month application process, Riggs identified a critical vulnerability in the Department of Foreign Affairs and Trade’s (DFAT) networks.
Working from his home in Bexley, south-east London, Riggs, who is the global director of information security for a major software-as-a-service company, discovered the exploitable flaw in less than two hours. He approached it as a standard security assessment, using the same methods he employs professionally. He then reported the vulnerability to DFAT.
But here's where it gets controversial... The 858 visa, previously known as the Global Talent visa, is notoriously difficult to obtain. Its approval rate is less than 1%. Migration consultancy VisaEnvoy reports that over 9,000 expressions of interest have been submitted since the program's inception, with only about 304 applicants invited and approximately 85 granted residency. This makes Riggs' achievement even more remarkable, and raises questions about the conventional methods of assessing talent for such visas.
Riggs, 36, explained that the vulnerability he uncovered met the criteria for 'critical severity' under Common Vulnerability Scoring System (CVSS) standards, the industry's established rating framework. DFAT, to their credit, has a Vulnerability Disclosure Policy that allows security researchers to test their systems within a defined scope. Riggs reported the issue responsibly and was acknowledged on the department's disclosure program honor roll. He praised DFAT for their swift response and remediation, but declined to share further details, citing confidentiality.
The 858 visa is designed for individuals with internationally recognized achievements in priority sectors, including cybersecurity. Typically, it attracts Nobel laureates and Olympic medalists – individuals with easily verifiable credentials. Cybersecurity, however, presents a unique challenge. As Riggs himself pointed out on his blog, "There’s no trophy equivalent of an Olympic Gold Medal" in cybersecurity. There's no single, universally accepted hallmark of excellence, so assessment relies heavily on demonstrated skills and accomplishments.
Riggs' application included around 60 pages of evidence, showcasing bug bounty payouts, formal recognition letters from universities and governments globally, and documentation of vulnerability disclosures to major tech companies. And this is the part most people miss... He didn't have a stellar academic record, having barely finished secondary school. Instead, he relied on professional accreditations and letters acknowledging his responsible disclosure work, which he described as "unexpectedly perfect" for the visa's assessment criteria. He even reached the attachment limit on his application!
Realizing the high bar set by the 858 visa, Riggs decided to provide contemporary evidence of his skills while his application was still under review. He understood that his leadership responsibilities might overshadow his hands-on technical abilities, so he wanted to showcase his current capabilities. He noted that Australian government infrastructure was generally well-protected, which "only piqued my interest more."
The gamble paid off handsomely. Riggs navigated the entire process without the aid of migration agents or immigration lawyers, a decision he proudly described as "very on-brand." This case underscores the difficulties in evaluating elite cyber talent and highlights the potential of Australia's innovation visa program to attract professionals whose contributions defy conventional measurement metrics. By May 2025, nearly 6,000 people had expressed interest in the revamped 858 program, with only seven successful grants at that point. Two Iraqi-born scientists, Dr. Bilal Bahaa Zaidan Al-Jubouri and Dr. Aos Alaa Zaidan, secured visas for AI expertise in healthcare and agriculture, showing the breadth of talent the program seeks.
However, cybersecurity researcher Jamieson O’Reilly raises a critical point: Australia's cyber skills shortage is exacerbated by structural barriers that prevent existing talent from contributing. "There are highly capable security practitioners in this country who can’t get near government work because they’re not attached to a large consultancy or don’t fit the procurement mould. So we talk about skills shortages while simultaneously locking out skilled people," he argues. While pathways like the 858 visa are valuable for filling genuine gaps, he believes priority should be given to removing barriers for local talent. O'Reilly also suggests that this case reveals deeper structural issues within Australian government security procurement. "This vulnerability survived annual IRAP assessments, two outsourced penetration tests, and internal testing before someone outside the system found it. That’s the detail worth paying attention to."
Riggs plans to relocate to Sydney within the next year to continue his cybersecurity work. "There’s a lot to consider when you move your entire life to another country," he said. "I also have a cat and he still needs convincing."
The Department of Foreign Affairs and Trade and the Department of Home Affairs did not respond to requests for comment before the deadline.
So, what do you think? Is this a brilliant way to attract top cybersecurity talent, or does it highlight a flawed system that overlooks local experts and relies too heavily on unconventional methods of assessment? Should the Australian government prioritize removing barriers for local talent before seeking international experts? Share your thoughts in the comments below!
