TL;DR
Jacob Riggs, a 36-year-old British security researcher, was granted Australia's invite-only Subclass 858 National Innovation visa after a multi-stage application process that included an accepted bug report to the Department of Foreign Affairs and Trade (DFAT). The visa invitation preceded his DFAT disclosure, and the researcher says the report may have helped his final outcome but that influence is not confirmed.
What happened
Jacob Riggs, a 36-year-old London-based security researcher, has been granted Australia's Subclass 858 National Innovation visa, an invite-only pathway for people with internationally recognised records of exceptional achievement. Riggs filed an expression of interest (EOI) in April and was invited to apply in May. In July he used DFAT's responsible vulnerability disclosure framework to report a critical-severity vulnerability he said took him a couple of hours to find; the issue was promptly fixed and his name appears among four successful reporters under the scheme. The government issued a request for more information (S56) on October 20, and the NIV was granted on December 2. Riggs told news outlets he plans to move to Sydney within the next 12 months. He also noted that he cannot be certain how much his DFAT disclosure affected the visa outcome, given the invitation predated the report.
Why it matters
- The case shows national immigration routes can recognise cybersecurity expertise alongside traditional academic and sporting achievements.
- Responsible disclosure programs can create visible, verifiable contributions that may bolster an applicant's public record.
- Subclass 858 invites are rare, so individual successes attract attention to how exceptional achievement is assessed.
- The quick remediation of the reported DFAT vulnerability indicates an active vulnerability disclosure process within that department.
Key facts
- Applicant: Jacob Riggs, 36, based in London.
- Visa: Subclass 858 National Innovation visa (NIV), invite-only category.
- Application timeline: EOI filed in April; invited to apply in May; DFAT vulnerability reported in July; S56 request issued October 20; NIV granted December 2.
- Riggs found a critical-severity vulnerability in DFAT systems in a few hours and reported it via DFAT's responsible disclosure framework.
- His report was one of four accepted under DFAT's scheme and the issue was fixed promptly.
- Q3 2025 government data: 122 invites issued from 1,841 EOIs (6.6% invite rate), higher than previous typical figures of 2–3%.
- With an NIV, the holder can apply for permanent residency (next step after NIV).
- Riggs has said he plans to relocate to Sydney within the next 12 months.
What to watch next
- Riggs's relocation timeline and whether he follows through on moving to Sydney within the next 12 months (confirmed in the source).
- Whether the DFAT disclosure had any formal role in the success of his NIV application — not confirmed in the source.
- Any broader policy or recruitment changes linking vulnerability disclosures to immigration outcomes — not confirmed in the source.
Quick glossary
- Subclass 858 National Innovation visa (NIV): An Australian invite-only visa for people with internationally recognised records of exceptional achievement who are expected to contribute to key sectors of the economy.
- Responsible vulnerability disclosure: A mechanism by which security researchers report software or system flaws to an organisation so issues can be fixed before public disclosure.
- Critical-severity vulnerability: A software or system security flaw judged to have a very high potential impact, often allowing full system compromise or serious data exposure.
- Expression of Interest (EOI): A preliminary submission used by some immigration pathways to indicate interest and provide information before an invitation to apply may be issued.
- S56 request: A government request for additional information during an immigration application review (specific to the context of the source).
Reader FAQ
Did Jacob Riggs get the NIV because he found the DFAT vulnerability?
The invitation to apply for the NIV was issued in May and the DFAT vulnerability was reported in July, so any formal role for that disclosure is not confirmed in the source.
How common are invites for the Subclass 858 NIV?
According to Q3 2025 government data cited in the source, 122 invites were issued from 1,841 EOIs (a 6.6% invite rate); previous invite rates were typically 2–3%.
Can NIV holders apply for permanent residency?
Yes. The source states that with an NIV, Riggs can apply for permanent residency.
When will Riggs move to Australia?
He told a newswire he plans to relocate to Sydney within the next 12 months.
Are details of the DFAT vulnerability published here?
Not confirmed in the source.
SECURITY Brit lands invite-only Aussie visa after uncovering vuln in government systems Jacob Riggs is set to swap London for Sydney some time in the next year Connor Jones Fri 2 Jan 2026…
Sources
- Brit lands invite-only Aussie visa after uncovering vuln in government systems
- UK security researcher wins coveted 858 Innovation visa …
- Brit hacks Australian government website
- British man wins Australian visa by hacking into website
Related posts
- Starlink to shift thousands of satellites from 550 km down to 480 km
- Kimwolf Botnet Exploits Residential Proxies to Infect Millions of Local Devices
- Video archive: Talks from the 39th Chaos Communication Congress (39C3), 2025