If the CFAA bars legitimate security research like this, then we would all be truly fucked.
You must be new here. This is why we have all been saying that the CFAA is truly fucked, for many years now :)
But yes, you did play with fire on this one. People have been convicted for far more innocent activities than this. I assume you're a student or recent grad and may be a bit optimistic about the world we are in. Don't fuck around under your real name or IP address when you do this kind of thing. "Accidentally" dropping a ' into a webform just to see what happens is one thing, but you won't be able to feign innocence with something this involved. Unless you are both the client and the server, or the other party is unambiguously inviting testing (such as a bug bounty), you have no claim to legitimate security research.
It's still awesome that you found and drew attention to this. It's important work. But, cover your ass next time, or know what you're getting into. Especially hitting obscure companies like this, who notoriously exist in a culture very unlike the typical valley-type company, where such activity makes them feel very threatened and outraged, often turning to law enforcement or initiating legal action.
Also, the term you're looking for is coordinated disclosure. Do not let the vendors define "responsibility" as they have attempted to do with the injection of that term into the lexicon ;)
It's a good find. Congrats.