Please note that we are a public hospital. We do not pay bug bounty but we kindly appreciate your contribution.
We currently do not publish a hall of fame / acknowledgment board but we may consider it at a later stage.
We'll do our best to reach out to you within 2 weeks to acknowledge that we have received the report but please bear with us if that takes a little longer.

Each reported vulnerability shall be properly documented (including mitigation recommendations) and proof that it can be exploited shall be provided. Automated reports from vulnerability scanners do not count as a valid submissions. We will not reach back to you if these preconditions are not satisfied.

See https://www.chu-lyon.fr/.well-known/security.txt for contact details.
Thanks for helping the healthcare community.