I'd like to responsibly disclose these issues but have never done something like that before and am slightly afraid of any possible legal repercussions. Even if I'm technically in the right, an expensive and career-damaging lawsuit is something I really want to avoid.
I could report these issues anonymously but I suspect a smart person looking through the server logs would be able to de-anonymize me. I did change up some URL parameters to verify that the vulnerability worked (e.g. "GET api/users/myuser" -> "GET api/users/anotheruser") and produced some weird traffic in the process, all while working from a browser that I was currently logged in with. I'd like to think that I didn't do anything wrong but I know that hacking laws can encompass anything outside of normal usage.
Does anyone have advice? I could leave it alone but the issues are so bad that someone else will find it sooner or later if they haven't already.
If you do not know who develops the software then you could always reach out to the people running the software platform and ask if they have a bug bounty program, without providing any details until they have agreed in writing that you are permitted to analyze the security of their platform. If they do not agree to this in writing, cease all communication with them.