Industry best practices dictate that sensitive documents, like penetration test reports, should be maintained for a period in line with the organization's data retention policy. This ensures compliance with legal and regulatory requirements as well as the ability to reference past tests. Keeping reports indefinitely may pose a security risk if the reports were to be accessed by unauthorized parties. There is no universally 'safe' short-term duration without context, as this practice would not necessarily comply with the necessary retention policies. Retaining reports just for the duration of a tester's preference is not aligned with best practices as it's subjective and does not consider regulatory or organizational requirements.