You should ask them for a proper bounty and if they refuse or dont respond report the vulnerability in public. I dont think it will count as blackmail, youre not sure they are competent enough to handle it so you posted here where others can check and suggest fixes.
Full disclosure gets the job done but it doesn't pay my bills.
Responsible disclosure pays my bills, if it's anybody other than blockchain.info.