Found a security vulnerability on gov related site

Any issue with a federal government web application, I would contact the office of my congress-person.

They are becoming increasingly aware of and concerned with security and privacy of government computer systems. You can say what you want about our deadlocked, ineffective congress, but they are still pretty good at making things happen at the various government agencies they fund. Tell them what you wrote above, especially that you never got a response.

If you don't get traction from this, let them know that the congress-person is now in the chain of people who "knew but did nothing" when you finally contact the press.

I think calling them up and demanding money is a risky idea.

Most countries have a Computer Emergency Response Team (CERT) that you could contact, ie: US-CERT, CERT Australia, etc. They usually have the correct connections to get the matter addressed. Google CERT plus your country name to get started.