After detection, how long are Contrast findings available for in the Contrast UI?
Assess: Vulnerabilities are kept indefinitely or until they're deleted. Existing vulnerabilities can be either Open (where their status is Reported, Confirmed or Suspicious) or Closed (where their status is Remediated, Fixed, Not an Issue or Auto-Remediated).
Protect: Attack events are kept for 30 days or until they're deleted. To maintain a lasting record of your Attack Events, they can be sent to a Syslog server as detailed here: Output to Syslog.
Should a customer discontinue their partnership with Contrast, their account and all related data is deleted within 30 days of the end of their contract.