I think you're confusing "exploit" and vulnerability. An info leak is a vulnerability. Period.
And yes. You completely went around their request, and made this info public without their consent.
Actions like this are THE reason the relationship between vendors and security researchers is strained.
There's a SPECIFIC reason it's considered common courtesy to wait until a vulnerability is patched before public disclosure.
IANAL, but you also violated their ToS by doing this, and if you did this to a site I owned, especially without my consent, I'd be very motivated to contact the proper authorities and pursue civil remedies.
First of all, how do you even know I'm an American? Nothing in my post, my bio, or anything mentions that, so that's quite a sweeping generalization, and baseless assumption.
Secondly, why are "non-americans" cool with breaking other peoples shit without permission?
Excuse me? You want to be able to launch an attack, unprovoked, against a server you don't own, without permission, and you want the owner to be cool with that?
You want the owner to be cool with you disrupting business, causing untold financial damage?
PEOPLE like you are the reason that relationship is strained, and the reason the CFAA was written in the first place.
So please do keep "pen-testing" sites you down own without anyones permission, I'm sure you'll end up with a great life that way.
All of this info (sans the HTTP 300 issues) is accessible via means which have been specifically GIVEN to users on the statistics and profile page. All I've done is point out combining these lovingly provided sets of information may have a role in what has happened.
And yes. You completely went around their request, and made this info public without their consent.
Actions like this are THE reason the relationship between vendors and security researchers is strained.
There's a SPECIFIC reason it's considered common courtesy to wait until a vulnerability is patched before public disclosure.
IANAL, but you also violated their ToS by doing this, and if you did this to a site I owned, especially without my consent, I'd be very motivated to contact the proper authorities and pursue civil remedies.