i am not familiar enough err i should say have not been an active member for some time in moodle. so i do not know the changes that happen between 2.0 to 2.8.3. due to that. my attempt was for you to find out what permission was causing xss issue. regardless of default rules or not. if you do not see a permission that is causing the xss issue. then yes i would consider it a bug.
the bit mask... is set in actual files "hard coded into files" it is not a setting some place in the database. there is like 5 or 7 total bit mask. each bit mask has a different warning type. (user able to delete massive amounts of data), user able edit information all over the site, xss issue, and a couple others. these bit masks show up in defining a role / editing a role as icons / warning signs beside the permission type.
and yes my assumption is, some sort of security issue came up. and when you upgraded. they changed a permission setting bit mask option. giving xss on default student role.