The company I worked for is using Magento 2.2.8 which is developed by an agency last year. We do not have any in-house developers so maintenance is also done by them. Their warranty include security patching but not Magento version patching.
They claims that 2.2.8 is safe as there has been no security patch released for this version.
I saw a hotfix for CVE-2019-8118 release this year which applies to 2.2 so wanted the developer to update it. However, they don't consider this a security patching but version patching.
Are they correct? It seems like they don't have to do any update to the system at all.