If this was an essential security library instead of a fun website, this would have been an incredibly irresponsible disclosures.
Bug bounty programs searching for security vulnerabilities rarely need completed proof of concept exploits – crashes are enough. You've laid down all of the pieces for someone competent to potentially do some real damage without much work at all, and that's exactly why the request was made not to disclose any further vulnerabilities.
I think you're confusing "exploit" and vulnerability. An info leak is a vulnerability. Period.
And yes. You completely went around their request, and made this info public without their consent.
Actions like this are THE reason the relationship between vendors and security researchers is strained.
There's a SPECIFIC reason it's considered common courtesy to wait until a vulnerability is patched before public disclosure.
IANAL, but you also violated their ToS by doing this, and if you did this to a site I owned, especially without my consent, I'd be very motivated to contact the proper authorities and pursue civil remedies.
First of all, how do you even know I'm an American? Nothing in my post, my bio, or anything mentions that, so that's quite a sweeping generalization, and baseless assumption.
Secondly, why are "non-americans" cool with breaking other peoples shit without permission?
Excuse me? You want to be able to launch an attack, unprovoked, against a server you don't own, without permission, and you want the owner to be cool with that?
You want the owner to be cool with you disrupting business, causing untold financial damage?
PEOPLE like you are the reason that relationship is strained, and the reason the CFAA was written in the first place.
So please do keep "pen-testing" sites you down own without anyones permission, I'm sure you'll end up with a great life that way.
All of this info (sans the HTTP 300 issues) is accessible via means which have been specifically GIVEN to users on the statistics and profile page. All I've done is point out combining these lovingly provided sets of information may have a role in what has happened.
Bug bounty programs searching for security vulnerabilities rarely need completed proof of concept exploits – crashes are enough. You've laid down all of the pieces for someone competent to potentially do some real damage without much work at all, and that's exactly why the request was made not to disclose any further vulnerabilities.