Hey I reported them separately because each of them were on different endpoints. And yes it was written in yahoo’s bug bounty policy that they accept this kind of findings. You can check there policy on hackerone.