This study investigated the impact of the criticality of software vulnerabilities, software vendor type and software type on the response time of software vendors in releasing patches for software vulnerabilities. Based on software security investment and software vulnerability disclosure theory, a quantitative methodology analysed archival data from software vulnerability databases. The findings show that software vendors are more responsive releasing patches for software vulnerabilities with medium levels of criticality. The vendor informed date provides a more accurate measure of the response time of software vendors in releasing software patches. These findings should assist practitioners in managing software vulnerability patching process.