"Initially, Coinbase ignored me. My succession of emails to their official "whitehat@coinbase.com" domain were ignored until I posted that they weren't replying on reddit"
The default state of every bug report ever is for the reporter to think they've found something that ends the world and the developer to think it's nothing to worry about at all. I've been on both sides and I've felt it.
Banks have entire security teams working around the clock and they work in an area where transactions are mostly reversible. When you work with Bitcoin nothing is reversible so you have to take things even more seriously than the banks.
I apologize in advance for the following unsolicited advice, but if there's anything that should have been learned from the press after the Gox implosion, it's that you absolutely must stay ahead on security and the perception of security. If you don't, the entire cryptocurrency ecosystem ultimately suffers. You have a responsibility far beyond your active userbase to be responsive and professional, rather than dismissive, especially when a whitehat is just offering up auditing. There's no obvious downside to rate limiting some types of API requests, so why not simply be responsive and do it?
Banks have entire security teams working around the clock and they work in an area where transactions are mostly reversible. When you work with Bitcoin nothing is reversible so you have to take things even more seriously than the banks.