Cyber expert gets rare Australian visa by hacking the government
The self-taught British security researcher found a unique way to beat 99 per cent rejection odds for the elite visa.
A British cybersecurity expert has been given coveted Australian permanent residency status after hacking the government’s systems while his visa application was under review.
Jacob Riggs gained the 858 National Innovation visa in December after a seven-month application process that culminated in him probing the Department of Foreign Affairs and Trade’s networks to demonstrate his credentials in real time, and identifying a critical vulnerability.
Jacob Riggs, 36, received the 858 National Innovation visa in December after a seven-month application process that culminated in him probing the Australian government’s attack surface to demonstrate his capabilities in real time.
Riggs, global director of information security for a large software-as-a-service provider, said he identified the exploitable flaw in under two hours while working from his home in Bexley, south-east London, in July.
Riggs’ visa, formerly known as the Global Talent visa, has an approval rate of less than 1 per cent. According to migration consultancy VisaEnvoy, more than 9000 expressions of interest have been submitted since the program commenced, with just 304 applicants invited and about 85 granted residency.
“I approached it as a routine security assessment and simply applied the same methodology I use professionally,” Riggs, 36, told this masthead. He said the vulnerability he identified met the threshold for critical severity under CVSS standards, the industry rating framework.
DFAT operates a formal Vulnerability Disclosure Policy, permitting security researchers to test its systems within a defined scope. Riggs reported the issue to DFAT and was subsequently acknowledged on the department’s disclosure program honour roll.
Jacob Riggs, director of Information security for a large software-as-a-service provider.
“DFAT were very quick to respond and remediate,” Riggs said, declining to share additional evidence beyond his public blog post. “I feel this would go against the spirit of the confidentiality between myself and DFAT.”
