Every framework has opinions about retention. The practical sweet spot for vulnerability evidence: seven years. It covers almost every framework's minimum and matches standard corporate records retention. Shorter is risky; longer is usually wasteful.

What to keep, and for how long

Scan reports: 7 years, compressed. Storage is cheap.
Remediation tickets: 7 years, exported from your ticketing system.
Exception records: 7 years from expiry, not creation.
Audit exports: 7 years. Keep the original package and the PDF version.

Where to store

A write-once, read-many location is ideal (e.g. object storage with object-lock / immutability). This both satisfies integrity controls and prevents accidental deletion. If you only have ordinary cloud storage, enable versioning and lifecycle rules that archive objects after 90 days but never auto-delete.

When retention is shorter

Some jurisdictions require shorter retention for personal data. Vulnerability reports usually don't contain personal data, but if they do (e.g. system usernames that match employees), redact before archiving.