Consequences of grey hat hacking

There really isn't enough information here to make a determination about your question. Jurisdiction and exactly what went on with how you found a flaw in the security and how you tested it and what their terms of service (which define how you are allowed to use their computers and data) all matter. In general, "hacking" isn't what is legal or illegal, what is illegal is using other people's hardware or IP in a way which you are not licensed to do so.

If you were running an exploit against their hardware, then that was an intrusion, regardless of intent and they could go after you for it if they really wanted to. If you took data that they licensed only for a particular purpose and abused the data in a way you were not entitled, it may also be possible for them to go after you based on jurisdiction. If they provided data in the clear, without a license associated and you found a way to use that data to abuse their system on your own hardware, then you are probably safe since you did not use their hardware or licensed data to make your determination. But again, this can vary widely based on jurisdiction, so knowing your local laws is the best policy and IANAL.

As for practical advice about how to approach it. I would suggest that you not approach it as a proven vulnerability. Certainly providing your anti-cheat system sounds like a plus. You could also simply mention that you thought you saw something that might be exploitable when you were working on it and ask for their permission to either test it or let them test it. You might be best off to not mention the vulnerability at all though until after you get a job with them or get declined on the strength of your anti-cheat system alone. It is really hard to predict how people will react when a flaw is exposed by an outside party, even when reported responsibly. Many of the possible reactions wouldn't work in your favor, whether denial, anger or suspicion.

-- Edit: This answer addressed the idea of applying for a job based on the discovery of a vulnerability. --

The chances are high that you would not get the job if you applied on the strength of the fact that you successfully hacked their user security. Trust me, if someone walked into an interview with me saying, "Oh, by the way, I found a hole in your systems, hacked it, and here is my fix," that person would be escorted out of the building and I would call the police.

Fully disclose the vulnerability to them and them alone, and work with them to close the problem. THEN open the discussion of being hired for more security work. Once you try to combine getting a job with disclosing a vulnerability, it could be interpreted as an extortion attempt.

As for the chances of legal action, it depends on your location, their location, the location of the webserver you tested, the severity of the breach, and (to some degree) the attitudes and policies of the affected organizations.

--

It is never acceptable to look for vulnerabilities in websites or services without permission. This is against the law, and rightfully so.

It is completely legal to look for vulnerabilities in your own system, and software that you are running. You could easily find an 0-day that affects many other people, and its legal to whatever you would like with this information (you're free to pass on the vulnerabilities details as you like, but to actually use it to exploit a system without authorization is another story). Making it public and obtaining a CVE number or selling it to the highest bidder.

Very few companies have a bug bounty program. Facebook and Google do, and they can pay quite well for a high impact vulnerability.