Unfortunately, I recently went through a similar story. Fortunately, my ending was slightly better.
I discovered a long list of WordPress vulnerabilities that my school's site was vulnerable to. I emailed them and they said that they would update and fix it.
Then I discovered some open (and somewhat private) smb shares and an incredibly sloppily designed (no authentication whatsoever) intranet, but when I emailed them they banned me from the network and threatened me with a lawsuit.
I know where I could find other vulnerabilities (but I haven't checked/scanned, I'm not stupid) but my school isn't interested. I was told that since I'm not allowed to pentest the system, I'm obviously not able to inform them of something that I legally cannot know about.
Is that a better ending?