You should not stop looking for vulnerability, youre doing a good service to Bitcoin and the general user who is unaware of Blockchain.info's incompetence.
Responsibly reporting even ridiculously critical bugs isn't financially sensible for me with this company.
You should ask them for a proper bounty and if they refuse or dont respond report the vulnerability in public. I dont think it will count as blackmail, youre not sure they are competent enough to handle it so you posted here where others can check and suggest fixes.
Once it happens, Blockchain wont be so careless again, but then they were about to lose 1000
BTC so if they have not become wiser now they will never be.