New Season, New Habit — 30% Off Everything

Ends 30th April • Free returns • 1-Year warranty

Security Disclosure

UK Product Security and Telecommunications Infrastructure Act 2022 (PSTI)

In short: if you think you've found a security vulnerability in any Locksure product, firmware, app, website or API, please email [email protected]. We'll acknowledge within 5 working days and aim to resolve within 90 days.

Locksure takes the security of its connected products seriously. This page describes how to report security vulnerabilities, and sets out our commitments around security updates in accordance with the UK Product Security and Telecommunications Infrastructure Act 2022 and the Product Security Regulations 2023.

How to report a vulnerability

If you believe you've discovered a security vulnerability affecting Locksure, please report it directly and privately. We ask that researchers give us a reasonable opportunity to investigate and resolve the issue before any public disclosure.

Primary reporting channel

Email[email protected]
PostSecurity Disclosure, Lockstate Limited, 6 Aston Croft, Biggleswade, SG18 8GR
Response SLAAcknowledgement within 5 working days
Resolution target90 days where reasonably practicable

What to include in your report

Product name, model and firmware version (if known)
A clear description of the vulnerability, with steps to reproduce
The potential impact as you assess it
Supporting screenshots, logs or proof-of-concept code
Your preferred name for acknowledgement, or a request to remain anonymous

What you can expect from us

Acknowledgement of your report within 5 working days
Initial assessment and triage within 10 working days
Progress updates at least every 30 days until resolution
A credit in our release notes if you wish to be acknowledged
No legal action against good-faith researchers following this policy

Scope

In scope

  • Thumb Turn Starter Pack (LSEU02)
  • Key Turn Starter Pack (LSEU01)
  • Matter Sensor — hub-less (LSEUM-MATTER)
  • Locksure mobile apps (iOS & Android)
  • locksure.co.uk and customer-facing APIs
  • Over-the-air (OTA) update infrastructure

Out of scope

  • Open/Close Magnet Accessory (passive, non-connected)
  • Physical attacks on unpowered devices
  • Attacks on pre-compromised Matter or HomeKit accounts
  • Theoretical issues without a realistic attack path
  • Automated scan findings without validation
  • Social engineering of staff or customers

Minimum security update period

In accordance with Schedule 1 of the Product Security Regulations 2023, Locksure publishes the minimum length of time during which security updates will be provided for each product sold. This information is also printed on each product's Statement of Compliance and on the packaging insert.

ProductModelStatusFirst soldSecurity updates until
Thumb Turn Starter Pack LSEU02 Active 4 Sep 2024 2 years after last sale
Key Turn Starter Pack LSEU01 Active 4 Sep 2024 2 years after last sale
Matter Sensor (hub-less) LSEUM-MATTER Active Q2 2026 (expected) 2 years after last sale

Security updates are delivered automatically over the air (OTA) to supported devices that remain connected to the internet. Where a critical update cannot be delivered automatically, Locksure will contact customers directly using the email address associated with their account.

Please note: the support period above is a minimum commitment. Locksure intends to support products for longer wherever practicable, and any extension will be communicated on this page before the stated end date.

Our security commitments

No universal default passwords

All Locksure connected products use unique per-device credentials or require the user to set a password on first use. Matter commissioning uses per-device cryptographic attestation rather than shared credentials.

Platform and supply-chain security

Locksure builds on Nordic Semiconductor's CSA-certified Matter Compliant Platform (Certificate CSA25001MCPM0001-24). Our Thread and Bluetooth stacks inherit Nordic's vulnerability monitoring and patching processes. We monitor the Nordic Security Advisory feed and CSA Matter Security Advisory feed continuously.

Secure boot and signed firmware

All Locksure firmware updates are cryptographically signed. Devices will reject any firmware image that does not validate against our signing key.

Responsible disclosure

Where we learn of a vulnerability affecting our products — from an external researcher, our own testing, or a component supplier — we will issue a security advisory on this page alongside the patched firmware release, subject to reasonable delay where public disclosure would put customers at greater risk.

Company & regulatory information

Registered companyLockstate Limited (13478822)
Trading asLocksure
Registered office6 Aston Croft, Biggleswade, SG18 8GR
Registered inEngland and Wales
Websitelocksure.co.uk
Security contact[email protected]
UK regulatorOffice for Product Safety and Standards (OPSS)

If you're not satisfied with Locksure's response to a security report, you may contact the UK Office for Product Safety and Standards at gov.uk/office-for-product-safety-and-standards.

Policy version 1.0 — first published April 2026. Review cycle: annual.

This page is maintained to satisfy the UK Product Security and Telecommunications Infrastructure Act 2022 and the Product Security Regulations 2023. Products placed on the UK market before this publication date are covered by this policy from the date of publication forward.