Okay, I’ll be the (hopefully friendly) naysayer, because they are repeatedly saying a number of important things, and it doesn’t seem like you are understanding what they have to say. For background I have 15+ years experience writing security-centric business software, and have talked with many security professionals over the years. It really all boils down to this:
If you do not have permission to do penetration testing then you can’t really call yourself a white hack hacker, and you are potentially liable for legal consequences if your actions come to the attention of the people in charge of the site you are testing.
Look at it this way: if a plumber walks by a retail building and sees water coming streaming out from under the door, the fact that they are trying to be helpful won’t stop them from ending up in handcuffs if they set off an alarm trying to break in and fix it at 2am. Unauthorized penetration testing works exactly the same way. Your intentions will not protect you from legal repercussions (up to and including jail) if the owners of the site you decide to poke around in decide to press charges.
I’m not trying to say that you are 100% in the wrong anymore than I am trying to say that they are 100% in the wrong. They certainly didn’t respond well, they obviously don’t take security seriously (even after you brought it to their attention), and this entire incident will likely (and properly) be a PR disaster for them. Hopefully it will encourage them to take security more seriously. However, after your first run in, when it was clear that they were not okay with you poking around in their system without permission, going back and looking for more vulnerabilities without permission was a *very* risky choice. The first time you tried it, it was easy to chalk up to an innocent misunderstanding. The second time though was a deliberate choice on your part, knowing that your attempts would not be well received by the people in charge of the institution.
To clarify one part that they are 100% correct on, you did access data in an unauthorized manner. Your response to them is effectively a red-herring. Yes, you were logged in to the system when you did your penetration testing, and only saw data that the system allowed you to see (due to its security weaknesses). However, in doing so you accessed data (i.e. everyone else’s mail combinations) that you were not supposed to access. The fact that the system allowed you to do it doesn’t mean that you were authorized. You are looking at authorization from a technical perspective but they are speaking from a legal perspective. Legally, you were not authorized to view that data or perform penetration testing, but you did so anyway. Legally your actions were indeed unauthorized, just as they say. The technicalities of the situation don’t change that.
Hopefully they will clean up their act, and that is a win you can chalk up to your account. However, I also want to be clear that there is a fine line here, and there were certainly some points where you were on the wrong side of it. It sounds like you are going to get through this without any legal repercussions, which is certainly good, but I think it is important for you to understand the mess you stepped in. If you step in something like this again, you might not emerge squeaky clean next time.